Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 401901 (CVE-2012-0834)

Summary: <net-nds/phpldapadmin-1.2.2-r1 : "base" Cross-Site Scripting Vulnerability (CVE-2012-0834)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: jmbsvicetto, vostorga, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/47852/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-02-02 11:08:48 UTC 
From secunia security advisory at $URL:

Description:
Input passed via the "base" parameter to cmd.php (when "cmd" is set to "query_engine") is not properly sanitised in lib/QueryRender.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 1.2.2. Other versions may also be affected.


Solution
Fixed in the git repository.

Original Advisory
https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546
http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=commit;h=7dc8d57d6952fe681cb9e8818df7f103220457bd
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2012-02-02 21:21:12 UTC 
net-nds/phpldapadmin-1.2.2-r1 with the patch added to the tree.
Comment 2 Agostino Sarubbo gentoo-dev 2012-02-02 21:23:39 UTC 
thanks Jorge, closing
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:35:51 UTC 
CVE-2012-0834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0834):
  Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in
  phpLDAPadmin 1.2.2 and earlier allows remote attackers to inject arbitrary
  web script or HTML via the base parameter in a query_engine action to
  cmd.php.