Debian Bug report logs -
#726976
ldap-account-manager: CVE-2013-4453: Pre-Authentication Cross-Site-Scripting in current_language parameter
Reported by: Eric Sesterhenn <snakebyte@gmx.de>
Date: Mon, 21 Oct 2013 06:54:02 UTC
Severity: important
Tags: patch, security
Found in versions 4.3, ldap-account-manager/3.7-2, ldap-account-manager/3.1.0-2
Fixed in version ldap-account-manager/4.4-1
Done: Roland Gruber <post@rolandgruber.de>
Bug is archived. No further changes may be made.
Forwarded to http://sourceforge.net/p/lam/bugs/156/
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#726976; Package ldap-account-manager.
(Mon, 21 Oct 2013 06:54:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sesterhenn <snakebyte@gmx.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Gruber <post@rolandgruber.de>.
(Mon, 21 Oct 2013 06:54:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ldap-account-manager
Version: 4.3
Severity: grave
Tags: security
Justification: user security hole
=== Security Advisory ===
ldap-account-manager-4.3 - PreAuth XSS
------------------------------------------------------------
Affected Version
================
ldap-account-manager-4.3, ldap-account-manager-4.2.1
and possibly others
Problem Overview
================
Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Debian / Roland Gruber
Reported by: Eric Sesterhenn <snakebyte@gmx.de>
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013001.txt
Advisory Status: Private
Problem Impact
==============
While taking a quick lock at the ldap account manager,
a XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim to post certain data
to the website.
Problem Description
===================
The file "./templates/login.php" contains an Cross-Site-Scripting
Issue on line 122. When the parameter current_language is set to
malicious input (e.g. foo%3A"><script>alert(1)</script>%3Abar)
JavaScript is executed in the victims' browser.
The parameter current_language is retrieved
from $_SESSION['language'] in line 119, which
is a copy of $_POST['language'] (line 117).
Temporary Workaround and Fix
============================
Apply the following patch to properly encode the variable:
--- templates/login.php.orig 2013-09-25 07:53:03.107208062 +0200
+++ templates/login.php 2013-09-25 07:53:20.715207533 +0200
@@ -119,7 +119,7 @@ if (isset($_POST['language'])) {
$current_language = explode(":",$_SESSION['language']);
$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01
Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
$_SESSION['header'] .= "<html>\n<head>\n";
-$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html;
charset=" . $current_language[1] . "\">\n";
+$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html;
charset=" . htmlentities($current_language[1]) . "\">\n";
$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n
<meta http-equiv=\"cache-control\" content=\"no-cache\">";
/**
History
=======
25.09.2013 - Issue detected
20.10.2013 - Vendor notified
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#726976; Package ldap-account-manager.
(Mon, 21 Oct 2013 18:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Gruber <post@rolandgruber.de>:
Extra info received and forwarded to list.
(Mon, 21 Oct 2013 18:06:04 GMT) (full text, mbox, link).
Message #10 received at 726976@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Eric,
thank you very much for reporting this issue.
There is a patch available now:
https://sourceforge.net/p/lam/bugs/156/#a1dc
Best regards
Roland
On 21.10.2013 08:49, Eric Sesterhenn wrote:
> Package: ldap-account-manager Version: 4.3 Severity: grave Tags:
> security Justification: user security hole
>
> === Security Advisory ===
>
> ldap-account-manager-4.3 - PreAuth XSS
> ------------------------------------------------------------
>
> Affected Version ================ ldap-account-manager-4.3,
> ldap-account-manager-4.2.1 and possibly others
>
> Problem Overview ================ Technical Risk: medium Likelihood
> of Exploitation: medium Vendor: Debian / Roland Gruber Reported by:
> Eric Sesterhenn <snakebyte@gmx.de> Advisory updates:
> http://www.rusty-ice.de/advisory/advisory_2013001.txt Advisory
> Status: Private
>
> Problem Impact ============== While taking a quick lock at the ldap
> account manager, a XSS issue has been found. It is possible to
> execute JavaScript in a victims' browser after tricking the victim
> to post certain data to the website.
>
>
> Problem Description =================== The file
> "./templates/login.php" contains an Cross-Site-Scripting Issue on
> line 122. When the parameter current_language is set to malicious
> input (e.g. foo%3A"><script>alert(1)</script>%3Abar) JavaScript is
> executed in the victims' browser. The parameter current_language is
> retrieved from $_SESSION['language'] in line 119, which is a copy
> of $_POST['language'] (line 117).
>
>
> Temporary Workaround and Fix ============================ Apply the
> following patch to properly encode the variable:
>
> --- templates/login.php.orig 2013-09-25 07:53:03.107208062
> +0200 +++ templates/login.php 2013-09-25 07:53:20.715207533 +0200
> @@ -119,7 +119,7 @@ if (isset($_POST['language'])) {
> $current_language = explode(":",$_SESSION['language']);
> $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
> 4.01 Transitional//EN\"
> \"http://www.w3.org/TR/html4/loose.dtd\">\n\n"; $_SESSION['header']
> .= "<html>\n<head>\n"; -$_SESSION['header'] .= "<meta
> http-equiv=\"content-type\" content=\"text/html; charset=" .
> $current_language[1] . "\">\n"; +$_SESSION['header'] .= "<meta
> http-equiv=\"content-type\" content=\"text/html; charset=" .
> htmlentities($current_language[1]) . "\">\n"; $_SESSION['header']
> .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta
> http-equiv=\"cache-control\" content=\"no-cache\">";
>
> /**
>
>
> History ======= 25.09.2013 - Issue detected 20.10.2013 - Vendor
> notified
>
>
>
> -- System Information: Debian Release: jessie/sid APT prefers
> testing APT policy: (500, 'testing') Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale:
> LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell:
> /bin/sh linked to /bin/dash
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iEYEARECAAYFAlJlamcACgkQq/ywNCsrGZ58SgCfUFOWSltgfgJrzMO8CsDHRwKS
ougAn3jeIxe3PsswAWNaPQCcFhDjDuPL
=Zxx1
-----END PGP SIGNATURE-----
Added tag(s) patch.
Request was from Roland Gruber <post@rolandgruber.de>
to control@bugs.debian.org.
(Mon, 21 Oct 2013 18:45:04 GMT) (full text, mbox, link).
Marked as found in versions ldap-account-manager/3.1.0-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 21 Oct 2013 21:27:05 GMT) (full text, mbox, link).
Marked as found in versions ldap-account-manager/3.7-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 21 Oct 2013 21:27:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#726976; Package ldap-account-manager.
(Tue, 22 Oct 2013 05:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Gruber <post@rolandgruber.de>.
(Tue, 22 Oct 2013 05:51:04 GMT) (full text, mbox, link).
Message #23 received at 726976@bugs.debian.org (full text, mbox, reply):
severity 726976 important
thanks
Hi
As the attack vector includes that malicious data via POST I think
it's safe to downgrade the severity to important.
p.s.: I have requested a CVE for this issue on the oss-security list.
Regards
Salvatore
Severity set to 'important' from 'grave'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 22 Oct 2013 05:51:07 GMT) (full text, mbox, link).
Changed Bug title to 'ldap-account-manager: CVE-2013-4453: Pre-Authentication Cross-Site-Scripting in current_language parameter' from 'ldap-account-manager: Pre-Authentication Cross-Site-Scripting in current_language parameter'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 22 Oct 2013 05:57:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#726976; Package ldap-account-manager.
(Tue, 22 Oct 2013 07:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sesterhenn <snakebyte@gmx.de>:
Extra info received and forwarded to list. Copy sent to Roland Gruber <post@rolandgruber.de>.
(Tue, 22 Oct 2013 07:03:04 GMT) (full text, mbox, link).
Message #32 received at 726976@bugs.debian.org (full text, mbox, reply):
Hello Roland,
* Roland Gruber (post@rolandgruber.de) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Eric,
>
> thank you very much for reporting this issue.
>
>
> There is a patch available now:
>
> https://sourceforge.net/p/lam/bugs/156/#a1dc
thanks for the quick reply. The patch looks good to me, even if this
issue is still exploitable with a malicious cookie (but I dont see a way
to place such data into a cookie for an attacker).
To nitpick, the description "E.g. it is not sufficient to click on a link."
is not correct, if the victim clicks on a link to a different
web-site, which contains a web form and JavaScript to submit this form automatically
this can be exploited without requiring more user interaction.
Regards, Eric
> Best regards
>
> Roland
>
>
> On 21.10.2013 08:49, Eric Sesterhenn wrote:
> > Package: ldap-account-manager Version: 4.3 Severity: grave Tags:
> > security Justification: user security hole
> >
> > === Security Advisory ===
> >
> > ldap-account-manager-4.3 - PreAuth XSS
> > ------------------------------------------------------------
> >
> > Affected Version ================ ldap-account-manager-4.3,
> > ldap-account-manager-4.2.1 and possibly others
> >
> > Problem Overview ================ Technical Risk: medium Likelihood
> > of Exploitation: medium Vendor: Debian / Roland Gruber Reported by:
> > Eric Sesterhenn <snakebyte@gmx.de> Advisory updates:
> > http://www.rusty-ice.de/advisory/advisory_2013001.txt Advisory
> > Status: Private
> >
> > Problem Impact ============== While taking a quick lock at the ldap
> > account manager, a XSS issue has been found. It is possible to
> > execute JavaScript in a victims' browser after tricking the victim
> > to post certain data to the website.
> >
> >
> > Problem Description =================== The file
> > "./templates/login.php" contains an Cross-Site-Scripting Issue on
> > line 122. When the parameter current_language is set to malicious
> > input (e.g. foo%3A"><script>alert(1)</script>%3Abar) JavaScript is
> > executed in the victims' browser. The parameter current_language is
> > retrieved from $_SESSION['language'] in line 119, which is a copy
> > of $_POST['language'] (line 117).
> >
> >
> > Temporary Workaround and Fix ============================ Apply the
> > following patch to properly encode the variable:
> >
> > --- templates/login.php.orig 2013-09-25 07:53:03.107208062
> > +0200 +++ templates/login.php 2013-09-25 07:53:20.715207533 +0200
> > @@ -119,7 +119,7 @@ if (isset($_POST['language'])) {
> > $current_language = explode(":",$_SESSION['language']);
> > $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
> > 4.01 Transitional//EN\"
> > \"http://www.w3.org/TR/html4/loose.dtd\">\n\n"; $_SESSION['header']
> > .= "<html>\n<head>\n"; -$_SESSION['header'] .= "<meta
> > http-equiv=\"content-type\" content=\"text/html; charset=" .
> > $current_language[1] . "\">\n"; +$_SESSION['header'] .= "<meta
> > http-equiv=\"content-type\" content=\"text/html; charset=" .
> > htmlentities($current_language[1]) . "\">\n"; $_SESSION['header']
> > .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta
> > http-equiv=\"cache-control\" content=\"no-cache\">";
> >
> > /**
> >
> >
> > History ======= 25.09.2013 - Issue detected 20.10.2013 - Vendor
> > notified
> >
> >
> >
> > -- System Information: Debian Release: jessie/sid APT prefers
> > testing APT policy: (500, 'testing') Architecture: amd64 (x86_64)
> > Foreign Architectures: i386
> >
> > Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale:
> > LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell:
> > /bin/sh linked to /bin/dash
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Icedove - http://www.enigmail.net/
>
> iEYEARECAAYFAlJlamcACgkQq/ywNCsrGZ58SgCfUFOWSltgfgJrzMO8CsDHRwKS
> ougAn3jeIxe3PsswAWNaPQCcFhDjDuPL
> =Zxx1
> -----END PGP SIGNATURE-----
Reply sent
to Roland Gruber <post@rolandgruber.de>:
You have taken responsibility.
(Thu, 19 Dec 2013 09:51:23 GMT) (full text, mbox, link).
Notification sent
to Eric Sesterhenn <snakebyte@gmx.de>:
Bug acknowledged by developer.
(Thu, 19 Dec 2013 09:51:23 GMT) (full text, mbox, link).
Message #37 received at 726976-close@bugs.debian.org (full text, mbox, reply):
Source: ldap-account-manager
Source-Version: 4.4-1
We believe that the bug you reported is fixed in the latest version of
ldap-account-manager, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 726976@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Gruber <post@rolandgruber.de> (supplier of updated ldap-account-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 18 Dec 2013 17:47:35 +0200
Source: ldap-account-manager
Binary: ldap-account-manager ldap-account-manager-lamdaemon
Architecture: source all
Version: 4.4-1
Distribution: unstable
Urgency: low
Maintainer: Roland Gruber <post@rolandgruber.de>
Changed-By: Roland Gruber <post@rolandgruber.de>
Description:
ldap-account-manager - webfrontend for managing accounts in an LDAP directory
ldap-account-manager-lamdaemon - Quota and home directory management for LDAP Account Manager
Closes: 726976
Changes:
ldap-account-manager (4.4-1) unstable; urgency=low
.
* Fix "Pre-Authentication Cross-Site-Scripting in current_language
parameter" by updating templates/login.php (Closes: #726976)
* new upstream release
Checksums-Sha1:
2409319d96919c8668ba977285830cc76c3fde00 1262 ldap-account-manager_4.4-1.dsc
de6aa0af1ae0d54962f1c4920273c20f78608725 13557991 ldap-account-manager_4.4.orig.tar.bz2
952f5b17b012880ba9d551d60efd314e97385b26 23315 ldap-account-manager_4.4-1.debian.tar.gz
386c7c9a919cb32d778a0ef21afd1b883d0f8304 12412208 ldap-account-manager_4.4-1_all.deb
58b7f78013a409a42074f650c43b5520fbf94636 20594 ldap-account-manager-lamdaemon_4.4-1_all.deb
Checksums-Sha256:
a99f895c6f7c392b1f6ca8e31ef5bc09a0660f11e2dfc348958072bcab941b07 1262 ldap-account-manager_4.4-1.dsc
990b963a98a7a6ee1e15072010b7da3a11535e205c4c5c6724676dc2deb44789 13557991 ldap-account-manager_4.4.orig.tar.bz2
0659b72a2c13bcab1bfd3707361fafdc3a121edbdf689a77e3cbaa62d06edd02 23315 ldap-account-manager_4.4-1.debian.tar.gz
5d39ade22bc8182945db96d69596d9feb60b66a95d012940410bf57aeb73879d 12412208 ldap-account-manager_4.4-1_all.deb
a3be77403faf92cbd8fea6981ebe06e15c0559d7ea8bb7e5fc708a9ff8845b6d 20594 ldap-account-manager-lamdaemon_4.4-1_all.deb
Files:
c92b8acef40f78327fac36ddec0ac894 1262 web extra ldap-account-manager_4.4-1.dsc
7ed89d9fd935ae44fa7236b06a255550 13557991 web extra ldap-account-manager_4.4.orig.tar.bz2
0ea10b52816d428dd449df424111e68c 23315 web extra ldap-account-manager_4.4-1.debian.tar.gz
9fab556f36ab5cb40dd2c16fcf00aa0d 12412208 web extra ldap-account-manager_4.4-1_all.deb
34112d8499ebe51efb3c56c0b61cd0de 20594 web extra ldap-account-manager-lamdaemon_4.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlKyuy4ACgkQK/juK3+WFWRRGgCeO73SCLOBUdomvRP4go+br59o
OqEAnjEwpjeAY2+d+zfDoS1pMGR/VITd
=soMD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 27 Jan 2014 07:35:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:12:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon