 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev- | Prev- | Debian- | Mar- | Next- | Next- |
| Subject: | ldap-account-manager does not escape HTML special chars |
| Group: | Debian-security |
| From: | Roland Gruber |
| Date: | 21 Mar 2007 |
severity 415379 grave
tags 415379 + security
stop
Hi Debian security,
a user reported that LAM does not escape HTML special chars if such data
is read from LDAP and displayed in the browser. E.g. the LDAP attribute
which stores an account description could include "<", ">" and such chars.
Possible attack targets:
Admin users who manage user and group accounts with LAM. LAM only allows
a predefined list of admin users to use this application. Therefore only
these persons can be attacked.
Needed priviledges to start attack:
An attacker needs write access to the LDAP directory. This requires an
valid LDAP account and LDAP ACLs which allow this account to write data.
By default only admin users have write access. But ordinary users may
also get access to change their mail address etc.
Affected releases:
Debian stable: ldap-account-manager 0.4.9-2
Debian Etch/testing: ldap-account-manager 1.1.1-1
Debian Unstable: ldap-account-manager 1.2.0-1
I will build patches right now.
--
Best regards
Roland Gruber
LDAP Account Manager
http://lam.sourceforge.net
Want more? Get LDAP Account Manager Pro!
http://lam.sourceforge.net/lamPro/index.htm
| Prev- | Prev- | Debian- | Mar- | Next- | Next- |