Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

phpldapadmin: cross-site scripting vulnerability

Related Vulnerabilities: CVE-2011-4074   CVE-2011-4075  

Source

Debian Bug report logs - #646769
phpldapadmin: cross-site scripting vulnerability

version graph

Package: phpldapadmin; Maintainer for phpldapadmin is Fabio Tranchitella <kobold@debian.org>; Source for phpldapadmin is src:phpldapadmin (PTS, buildd, popcon).

Reported by: Jonathan Wiltshire <jmw@debian.org>

Date: Thu, 27 Oct 2011 00:09:01 UTC

Severity: serious

Tags: patch, security

Found in version phpldapadmin/1.1.0.5-6+lenny1

Fixed in versions phpldapadmin/1.2.0.5-2.1, phpldapadmin/1.2.0.5-2+squeeze1

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#646769; Package phpldapadmin. (Thu, 27 Oct 2011 00:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Fabio Tranchitella <kobold@debian.org>. (Thu, 27 Oct 2011 00:09:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: submit@bugs.debian.org
Subject: phpldapadmin: cross-site scripting vulnerability
Date: Thu, 27 Oct 2011 01:00:47 +0100
Package: phpldapadmin
Severity: serious
Justification: security vulnerability
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpldapadmin.

CVE-2011-4074[0]:
| Input appended to the URL in cmd.php (when "cmd" is set to "_debug")
| is not properly sanitised before being returned to the user. This can be
| exploited to execute arbitrary HTML and script code in a user's browser
| session in context of an affected site.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4074
    http://security-tracker.debian.org/tracker/CVE-2011-4074

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug Marked as found in versions phpldapadmin/1.1.0.5-6+lenny1. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Thu, 27 Oct 2011 09:45:22 GMT) (full text, mbox, link).

Added tag(s) patch. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Thu, 27 Oct 2011 20:03:08 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Thu, 27 Oct 2011 20:03:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#646769; Package phpldapadmin. (Thu, 27 Oct 2011 20:09:10 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Fabio Tranchitella <kobold@debian.org>. (Thu, 27 Oct 2011 20:09:10 GMT) (full text, mbox, link).

Message #16 received at 646769@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 646754@bugs.debian.org, 646769@bugs.debian.org
Subject: phpldapadmin: diff for NMU version 1.2.0.5-2.1
Date: Thu, 27 Oct 2011 21:00:13 +0100
[Message part 1 (text/plain, inline)]
tags 646754 + patch
tags 646754 + pending
tags 646769 + patch
tags 646769 + pending
thanks

Dear maintainer,

I've prepared an NMU for phpldapadmin (versioned as 1.2.0.5-2.1) and
uploaded it to DELAYED/1. Please feel free to tell me if I
should delay it longer.

Regards.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[phpldapadmin-1.2.0.5-2.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Fri, 28 Oct 2011 21:12:32 GMT) (full text, mbox, link).

Notification sent to Jonathan Wiltshire <jmw@debian.org>:
Bug acknowledged by developer. (Fri, 28 Oct 2011 21:12:36 GMT) (full text, mbox, link).

Message #21 received at 646769-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 646769-close@bugs.debian.org
Subject: Bug#646769: fixed in phpldapadmin 1.2.0.5-2.1
Date: Fri, 28 Oct 2011 21:04:41 +0000
Source: phpldapadmin
Source-Version: 1.2.0.5-2.1

We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:

phpldapadmin_1.2.0.5-2.1.diff.gz
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2.1.diff.gz
phpldapadmin_1.2.0.5-2.1.dsc
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2.1.dsc
phpldapadmin_1.2.0.5-2.1_all.deb
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 646769@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated phpldapadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Oct 2011 17:51:24 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.2.0.5-2.1
Distribution: unstable
Urgency: high
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 phpldapadmin - web based interface for administering LDAP servers
Closes: 646754 646769
Changes: 
 phpldapadmin (1.2.0.5-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2011-4074 Fix XSS vulnerability in debug code (Closes: #646769)
   * CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
     (Closes: #646754)
Checksums-Sha1: 
 f6d86b56229db00e7c48fd3621ebd3e4d4fb932d 1723 phpldapadmin_1.2.0.5-2.1.dsc
 49c219b7126dd9357c226bf35ffac7020727d84c 25005 phpldapadmin_1.2.0.5-2.1.diff.gz
 b263c5ed27354e920b2e4e84f5adc18f360358d8 1266724 phpldapadmin_1.2.0.5-2.1_all.deb
Checksums-Sha256: 
 de160987eb6ae9fb927075446ce7a08f0f39c6d7385f61f8ba1567c61ea6ea34 1723 phpldapadmin_1.2.0.5-2.1.dsc
 a1c6dbc7842df92ddc54fc30ce13c3042e7dbcb8bdab1f7bb61de87a0ac91a15 25005 phpldapadmin_1.2.0.5-2.1.diff.gz
 18f70e2a3847ef1729043a71e1aed338d7788ba96212f1d2285ef39145c1d61f 1266724 phpldapadmin_1.2.0.5-2.1_all.deb
Files: 
 42f745fe3da0af28a60f3a165c2627ce 1723 admin extra phpldapadmin_1.2.0.5-2.1.dsc
 c8df93849f4cd3923f5c5596c9ac76e5 25005 admin extra phpldapadmin_1.2.0.5-2.1.diff.gz
 d88f1c1ca798855c9ab42ecfced4a6ae 1266724 admin extra phpldapadmin_1.2.0.5-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOqbcxAAoJEFOUR53TUkxR9tEP/A6OBh7FLA1FQ9XjKwe3i17N
Y9+CipzUWZV1CExTyDlLDhnhQedYub4bvP6TXPV/dnQyDVQfB7D6CLeW6s5m3BnS
M/x6LtWMRJJ56ODlYvmm5Ydj9D8sTkwrGV/+KhBBa8fqXNn3cansAgIzLfAo/W18
BGhdkwtTO1Da6j1Y/O4DIkLaOz6WMuPd6y8UYTehgCrvmpa6spKxJ1irEpLR48dl
lvnqp5SJt5o+/1/vNqYNvjOvUdnAYKP8sFp/aWF8Lx7qutQ2j6/wsWO0RyptkQJw
1qTREIFLqSOue5uEf87kiG7KvyV/JW+HtJUbKS9E7gD63C2nr3JkTjGrj82ecaUO
t9UnM75Bnbve1JLr8evxSeRoGzOzcIYwoa/Qv26gl79VdYK55rhkGEs7u2VkfDhY
fp6NKI703CmE2Ak3VgV8Vb1XxiWXMdyUoa3Bbxn+pfuoq6O0wWe8e7SjN0HK+IFq
zXYPM9CHvCigrtWaTCCGsNzfzrPwlsikBWvOjMnl1qlimixqn/+85QUXq+nJIFPQ
7+CSGaJtvo1Ws4/NwyH5FGwBNqkifHREhrL0DSraJ6RP+QXxv8GiczlERzdm8b+m
yrIYC7VpQgdon1Ucg474lZ8nHjQIRB+eMxV5yRyf4f2rGk3hvsSLTvXFF30mTXFn
h+/+MMPFoVrJo6kmwaO/
=zoVM
-----END PGP SIGNATURE-----

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Sun, 30 Oct 2011 20:00:06 GMT) (full text, mbox, link).

Notification sent to Jonathan Wiltshire <jmw@debian.org>:
Bug acknowledged by developer. (Sun, 30 Oct 2011 20:00:06 GMT) (full text, mbox, link).

Message #26 received at 646769-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 646769-close@bugs.debian.org
Subject: Bug#646769: fixed in phpldapadmin 1.2.0.5-2+squeeze1
Date: Sun, 30 Oct 2011 19:56:47 +0000
Source: phpldapadmin
Source-Version: 1.2.0.5-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:

phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
phpldapadmin_1.2.0.5-2+squeeze1.dsc
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2+squeeze1.dsc
phpldapadmin_1.2.0.5-2+squeeze1_all.deb
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 646769@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated phpldapadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Oct 2011 17:51:24 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.2.0.5-2+squeeze1
Distribution: squeeze-security
Urgency: high
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 phpldapadmin - web based interface for administering LDAP servers
Closes: 646754 646769
Changes: 
 phpldapadmin (1.2.0.5-2+squeeze1) squeeze-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * CVE-2011-4074 Fix XSS vulnerability in debug code (Closes: #646769)
   * CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
     (Closes: #646754)
Checksums-Sha1: 
 32500f560da479e07774a772473ee0dc60f5d476 1706 phpldapadmin_1.2.0.5-2+squeeze1.dsc
 0720ec05bfe91520bdd15e38c79f949f18d355eb 1345901 phpldapadmin_1.2.0.5.orig.tar.gz
 06a06a7b9549cf9b17b4369cd3d393e408ceda7f 25416 phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
 c191e208bae5304eb6a5e39037fcea5232e5ff55 1266770 phpldapadmin_1.2.0.5-2+squeeze1_all.deb
Checksums-Sha256: 
 2ff274359b1cf7281be7576f941bc32b9415ebd2436b979c7f5eb1760082055c 1706 phpldapadmin_1.2.0.5-2+squeeze1.dsc
 ee75da1dbba023499fdf50d6cedea9bcdb9caad017b15ed2e31700bcc61dfcfd 1345901 phpldapadmin_1.2.0.5.orig.tar.gz
 cdca51e68f7c6e7ea76cb75ee542bcfa8706397057f6f07641fc205cd3a3a054 25416 phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
 5da574473bca34b15d05e9a6af966278b7a59bc1a90fa43b3388d7bac613e3c6 1266770 phpldapadmin_1.2.0.5-2+squeeze1_all.deb
Files: 
 1813659cd851ac1787ab02a9d2272524 1706 admin extra phpldapadmin_1.2.0.5-2+squeeze1.dsc
 d75f043686da4c1e333ca160b0d26c01 1345901 admin extra phpldapadmin_1.2.0.5.orig.tar.gz
 1e1ec2d06146fda81f3c7a7dfb934b32 25416 admin extra phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
 c06fd719544825c62e1f2ca1b58efc89 1266770 admin extra phpldapadmin_1.2.0.5-2+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOqbbIAAoJEFOUR53TUkxREh0QAI6rwGVF1cbMaKA5/FNo2bPS
FKo+z7WU3RbMcVeB0zH8Q5i746DtMbBGfNZozs3Wv10amFcF2FUHvbfs6O067320
Cn/EoyeTmkaldjhWbCfrHqtqYmZUwvbKtP176ZvwrjSkiCD9TO+T0ons9HddvMdT
phHk5eGa1kigdfmzH9syz1PrLEC4DC7vanWhUepTXmql1TSdU2dS/gVgIcmZTPBm
lme3ZZkWjX6gi8W7ykqYeMaRhk8m4PNxWguHz+fb78Ipspmw9tEkSGSvbpN70O2z
xDfrzVSchP9xniRlfazjCL15kbyHRDIQvigRJUQwoapi7YZYA/OQJNYZ1MgSnP88
oxz9abqz/2pZtOr4jT4lbJ7Qi/k9u1whetOYYWHaNcepSdE8r3fN1CyCbXWFNnvb
bV7F/utuTH4TgtVBVQf0SrOaz0peHpmnV1hWHtWdvaTjG7qokFa27f7oc/Ya2Iwh
h6nAIL57Rw101s6DOsPCZ7WkUMRj4Fq2r/wyZFhKNshgjn/V5Cy3ueSWEPDxXxe7
R7LHWXIVx5ZX6LZ5zm0uR4Umw+7dmuDhbDcIjoZm8XdU3vLJoEld7YoErn3fTESo
BPIweSpY3B1dkdYgbn8ESmzoMDdrudyVR8Xs1vBFygNpXcSoJQ5y454RZ4Xj3FCn
cmQtV2GQS7UppUxJquND
=ZPtU
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 28 Nov 2011 07:37:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:02:27 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started