Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in cmd.php for 1.2.5 #130

Closed
4ndygu opened this issue Dec 1, 2020 · 15 comments
Closed

XSS in cmd.php for 1.2.5 #130

4ndygu opened this issue Dec 1, 2020 · 15 comments

Comments

@4ndygu
Copy link

4ndygu commented Dec 1, 2020

A user can set a field to an XSS payload, which triggers when the confirmation screen for whether to confirm the change is raised.

From cmd.php, say I have an attribute set to the following:

Screen Shot 2020-12-01 at 9 55 48 AM

Then, say I am an admin and would like to change that field back:

Screen Shot 2020-12-01 at 9 56 09 AM

When the field prompts me for a change, the payload is triggered. A user can log into user 1 and request a change, then wait for an admin to try deleting the field, which would trigger the payload for that user.

Screen Shot 2020-12-01 at 9 56 16 AM

@leenooks
Copy link
Owner

leenooks commented Dec 1, 2020

Problem doesnt appear to be in 1.2.6.2 - please let me know if it is.

@leenooks leenooks closed this as completed Dec 1, 2020
@setharnold
Copy link

I didn't look exhaustively but this commit appears likely to have addressed the issue:

c87571f

Do you know if a CVE has been assigned for this issue yet?

Thanks

@4ndygu
Copy link
Author

4ndygu commented Dec 2, 2020

Hi!

I don't think so -- do you know how I can go about this? I apologize for the lack of knowledge / context here. If it helps, I filed a report at https://bugs.launchpad.net/ubuntu/+source/phpldapadmin, but the ticket should be private since it's a security issue.

  • Andy

@setharnold
Copy link

setharnold commented Dec 2, 2020 via email

@4ndygu
Copy link
Author

4ndygu commented Dec 2, 2020

Cool, thanks! It seems like you confirmed it here: https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1906474. No CVE number is currently assigned.

@alexmurray
Copy link

This was assigned CVE-2020-35132 by MITRE.

@epozuelo
Copy link

@leenooks @4ndygu are you sure this is fixed in 1.2.6.2? I can still reproduce this issue with that version.

@epozuelo
Copy link

epozuelo commented Jan 5, 2021

ping? I think this is unfixed, can someone double check & reopen?

@4ndygu
Copy link
Author

4ndygu commented Jan 5, 2021

@leenooks Can we take a second look at the fix if possible? I am currently indisposed and have nuked my environment but can spin it back up in a few weeks otherwise to confirm @epozuelo.

@epozuelo
Copy link

any news on this? can this issue be reopened to match its current status?

@4ndygu
Copy link
Author

4ndygu commented Jan 30, 2021

Hey @epozuelo ! I don't think I have permissions here to re-open, but @leenooks should. I wonder if it would make sense in this case to open a new issue for visibility.

@setharnold
Copy link

My suggestion is to open a new issue -- anyone can do that, it'll help reduce confusion, etc. It'd be best to include a small reproducer that can be clearly used to demonstrate when the issue has been fixed.

Thanks

@epozuelo
Copy link

I have opened #137. Please someone double check if you can also reproduce this issue with 1.2.6.2 and report there. Thanks!

@epozuelo
Copy link

@leenooks Can we take a second look at the fix if possible? I am currently indisposed and have nuked my environment but can spin it back up in a few weeks otherwise to confirm @epozuelo.

@4ndygu any chance you can retest with current git master? I'd like to verify if this is still unfixed as I found in my tests. Thanks!

@epozuelo
Copy link

@leenooks Can we take a second look at the fix if possible? I am currently indisposed and have nuked my environment but can spin it back up in a few weeks otherwise to confirm @epozuelo.

@4ndygu any chance you can retest with current git master? I'd like to verify if this is still unfixed as I found in my tests. Thanks!

Sorry I meant BRANCH-1.2 (or 1.2.6.2), not git master which is 2.x (although the same problem probably applies to the master branch)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants