Debian Bug report logs - #415379
ldap-account-manager: quoting of user description field broken

version graph

Package: ldap-account-manager; Maintainer for ldap-account-manager is Roland Gruber <post@rolandgruber.de>; Source for ldap-account-manager is src:ldap-account-manager.

Reported by: Brian May <bam@snoopy.debian.net>

Date: Sun, 18 Mar 2007 22:57:02 UTC

Severity: grave

Tags: security

Found in versions ldap-account-manager/1.1.1-1, ldap-account-manager/0.4.9-2

Fixed in versions ldap-account-manager/1.1.1-2, ldap-account-manager/1.3.0-1

Done: Roland Gruber <post@rolandgruber.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#415379; Package ldap-account-manager. Full text and rfc822 format available.

Acknowledgement sent to Brian May <bam@snoopy.debian.net>:
New Bug report received and forwarded. Copy sent to Roland Gruber <post@rolandgruber.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Brian May <bam@snoopy.debian.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ldap-account-manager: quoting of user description field broken
Date: Mon, 19 Mar 2007 09:53:40 +1100
Package: ldap-account-manager
Version: 1.1.1-1
Severity: important


TREE VIEW

In tree view, if I change the description to

123"456'789

I see:

Do you want to make these changes?

Attribute       Old value       New value
description     les             123\"456\'789

which is different, and then when I push commit, the value comes out as:

123\\\"456\\\'789



USERS VIEW

The HTML generated for the form is:

<td>
<input name="description" size="30" maxlength="255" value="123\\\" 456="" 789="" tabindex="5002" type="text"></td>

Which again is very broken.


(possibly something like this might be a security issue, but I haven't
really considered this in detail yet - presumably the data from LDAP
should be trusted so it should be OK...)

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-xen-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#415379; Package ldap-account-manager. Full text and rfc822 format available.

Acknowledgement sent to Roland Gruber <post@rolandgruber.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 415379@bugs.debian.org (full text, mbox):

From: Roland Gruber <post@rolandgruber.de>
To: Brian May <bam@snoopy.debian.net>
Cc: 415379@bugs.debian.org
Subject: Re: Bug#415379: ldap-account-manager: quoting of user description field broken
Date: Tue, 20 Mar 2007 12:16:00 +0100
[Message part 1 (text/plain, inline)]
Hi Brian,

Brian May schrieb:
> Attribute       Old value       New value
> description     les             123\"456\'789
> 
> which is different, and then when I push commit, the value comes out as:
> 
> 123\\\"456\\\'789

I will provide a fix for this in the next release. However, it will not
be included in Etch since it is not critical/security related.

As workaround you can set magic_quotes_gpc to "Off" in your php.ini file.


-- 

Best regards

Roland Gruber


LDAP Account Manager
http://lam.sourceforge.net

Want more? Get LDAP Account Manager Pro!
http://lam.sourceforge.net/lamPro/index.htm
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#415379; Package ldap-account-manager. Full text and rfc822 format available.

Acknowledgement sent to Brian May <bam@snoopy.debian.net>:
Extra info received and forwarded to list. Copy sent to Roland Gruber <post@rolandgruber.de>. Full text and rfc822 format available.

Message #15 received at 415379@bugs.debian.org (full text, mbox):

From: Brian May <bam@snoopy.debian.net>
To: Roland Gruber <post@rolandgruber.de>
Cc: 415379@bugs.debian.org
Subject: Re: Bug#415379: ldap-account-manager: quoting of user description field broken
Date: Wed, 21 Mar 2007 11:07:22 +1100
>>>>> "Roland" == Roland Gruber <post@rolandgruber.de> writes:

    Roland> I will provide a fix for this in the next
    Roland> release. However, it will not be included in Etch since it
    Roland> is not critical/security related.

Hmmm. I think it could still meet the requirements,
regardless. e.g. if you argued it was corrupting data.

Still... Your call.

    Roland> As workaround you can set magic_quotes_gpc to "Off" in
    Roland> your php.ini file.

Is this likely to have any side effects, e.g. breaking other
applications?

Unfortunately, while this fixes the problem with tree view, it does
not fix the problem with the generated HTML in the personal user
editor - everything appears in the textbox up to the first "
character, and after that everything else appears outside the text
box.

The value needs to be HTML encoded before it is passed as a value to
the HTML textbox.

(This type of thing is normally a security issue - not sure about this
particular case though).
-- 
Brian May <bam@snoopy.debian.net>



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#415379; Package ldap-account-manager. Full text and rfc822 format available.

Acknowledgement sent to Roland Gruber <post@rolandgruber.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 415379@bugs.debian.org (full text, mbox):

From: Roland Gruber <post@rolandgruber.de>
To: Brian May <bam@snoopy.debian.net>, 415379@bugs.debian.org
Subject: Re: Bug#415379: ldap-account-manager: quoting of user description field broken
Date: Wed, 21 Mar 2007 12:25:50 +0100
[Message part 1 (text/plain, inline)]
Hi Brian,

Brian May schrieb:
> Unfortunately, while this fixes the problem with tree view, it does
> not fix the problem with the generated HTML in the personal user
> editor - everything appears in the textbox up to the first "
> character, and after that everything else appears outside the text
> box.

now I see what you mean. I first thought that only additional
backslashes were added but the second problem is that HTML characters
are not escaped in the output.

I will discuss this with my sponsor and increase the bug priority if needed.


-- 

Best regards

Roland Gruber


LDAP Account Manager
http://lam.sourceforge.net

Want more? Get LDAP Account Manager Pro!
http://lam.sourceforge.net/lamPro/index.htm
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#415379; Package ldap-account-manager. Full text and rfc822 format available.

Acknowledgement sent to Roland Gruber <post@rolandgruber.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Severity set to `grave' from `important' Request was from Roland Gruber <post@rolandgruber.de> to control@bugs.debian.org. (Wed, 21 Mar 2007 12:21:06 GMT) Full text and rfc822 format available.

Tags added: security Request was from Roland Gruber <post@rolandgruber.de> to control@bugs.debian.org. (Wed, 21 Mar 2007 12:21:08 GMT) Full text and rfc822 format available.

Bug marked as found in version 0.4.9-2. Request was from Roland Gruber <post@rolandgruber.de> to control@bugs.debian.org. (Wed, 21 Mar 2007 17:51:06 GMT) Full text and rfc822 format available.

Reply sent to Roland Gruber <post@rolandgruber.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Brian May <bam@snoopy.debian.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #36 received at 415379-close@bugs.debian.org (full text, mbox):

From: Roland Gruber <post@rolandgruber.de>
To: 415379-close@bugs.debian.org
Subject: Bug#415379: fixed in ldap-account-manager 1.1.1-2
Date: Thu, 22 Mar 2007 17:17:03 +0000
Source: ldap-account-manager
Source-Version: 1.1.1-2

We believe that the bug you reported is fixed in the latest version of
ldap-account-manager, which is due to be installed in the Debian FTP archive:

ldap-account-manager_1.1.1-2.diff.gz
  to pool/main/l/ldap-account-manager/ldap-account-manager_1.1.1-2.diff.gz
ldap-account-manager_1.1.1-2.dsc
  to pool/main/l/ldap-account-manager/ldap-account-manager_1.1.1-2.dsc
ldap-account-manager_1.1.1-2_all.deb
  to pool/main/l/ldap-account-manager/ldap-account-manager_1.1.1-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 415379@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Gruber <post@rolandgruber.de> (supplier of updated ldap-account-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 21 Mar 2007 14:11:42 +0100
Source: ldap-account-manager
Binary: ldap-account-manager
Architecture: source all
Version: 1.1.1-2
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Roland Gruber <post@rolandgruber.de>
Changed-By: Roland Gruber <post@rolandgruber.de>
Description: 
 ldap-account-manager - webfrontend for managing accounts in an LDAP directory
Closes: 415379
Changes: 
 ldap-account-manager (1.1.1-2) testing-proposed-updates; urgency=high
 .
   * security fix
   * quoting of user description field broken (Closes: #415379)
Files: 
 5b0c17cd0898aa3eeddebadab3ff83c2 631 web extra ldap-account-manager_1.1.1-2.dsc
 31456679488e8877fb20568c8c18ef63 16610 web extra ldap-account-manager_1.1.1-2.diff.gz
 ef8ebe48e1b291631b63b7ba103a9025 1638520 web extra ldap-account-manager_1.1.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGArcAK/juK3+WFWQRArukAJ9wkyA4rEGq3y3HV6w+O3eWqTg75ACbBKhg
ieE0IezNNC0hYz4QOn/1Nt4=
=PrhD
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#415379; Package ldap-account-manager. Full text and rfc822 format available.

Acknowledgement sent to "peter green" <plugwash@P10Link.net>:
Extra info received and forwarded to list. Copy sent to Roland Gruber <post@rolandgruber.de>. Full text and rfc822 format available.

Message #41 received at 415379@bugs.debian.org (full text, mbox):

From: "peter green" <plugwash@P10Link.net>
To: <415379@bugs.debian.org>
Subject: fixed in testing but what about unstable
Date: Tue, 27 Mar 2007 03:31:19 +0100
this bug has been fixed in testing through a TPU upload but there doesn't seem to be any information on if it is still present in unstable.
-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.18/733 - Release Date: 25/03/2007 11:07




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#415379; Package ldap-account-manager. Full text and rfc822 format available.

Acknowledgement sent to Roland Gruber <post@rolandgruber.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #46 received at 415379@bugs.debian.org (full text, mbox):

From: Roland Gruber <post@rolandgruber.de>
To: peter green <plugwash@P10Link.net>, 415379@bugs.debian.org
Subject: Re: Bug#415379: fixed in testing but what about unstable
Date: Tue, 27 Mar 2007 20:51:23 +0200
[Message part 1 (text/plain, inline)]
Hi Peter,

peter green schrieb:
> this bug has been fixed in testing through a TPU upload but there doesn't seem to be any information on if it is still present in unstable.

yes, it is still present in Unstable.
But since the regular 1.3.0 release which includes a fix will be
published tomorrow, I did not build a patch.

I also built a patch for Stable but my sponsor did not yet upload it.


-- 

Best regards

Roland Gruber


LDAP Account Manager
http://lam.sourceforge.net

Want more? Get LDAP Account Manager Pro!
http://lam.sourceforge.net/lamPro/index.htm
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Roland Gruber <post@rolandgruber.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Brian May <bam@snoopy.debian.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #51 received at 415379-close@bugs.debian.org (full text, mbox):

From: Roland Gruber <post@rolandgruber.de>
To: 415379-close@bugs.debian.org
Subject: Bug#415379: fixed in ldap-account-manager 1.3.0-1
Date: Mon, 02 Apr 2007 18:17:03 +0000
Source: ldap-account-manager
Source-Version: 1.3.0-1

We believe that the bug you reported is fixed in the latest version of
ldap-account-manager, which is due to be installed in the Debian FTP archive:

ldap-account-manager_1.3.0-1.diff.gz
  to pool/main/l/ldap-account-manager/ldap-account-manager_1.3.0-1.diff.gz
ldap-account-manager_1.3.0-1.dsc
  to pool/main/l/ldap-account-manager/ldap-account-manager_1.3.0-1.dsc
ldap-account-manager_1.3.0-1_all.deb
  to pool/main/l/ldap-account-manager/ldap-account-manager_1.3.0-1_all.deb
ldap-account-manager_1.3.0.orig.tar.gz
  to pool/main/l/ldap-account-manager/ldap-account-manager_1.3.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 415379@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Gruber <post@rolandgruber.de> (supplier of updated ldap-account-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 26 Mar 2007 20:30:52 +0100
Source: ldap-account-manager
Binary: ldap-account-manager
Architecture: source all
Version: 1.3.0-1
Distribution: unstable
Urgency: low
Maintainer: Roland Gruber <post@rolandgruber.de>
Changed-By: Roland Gruber <post@rolandgruber.de>
Description: 
 ldap-account-manager - webfrontend for managing accounts in an LDAP directory
Closes: 414374 415379
Changes: 
 ldap-account-manager (1.3.0-1) unstable; urgency=low
 .
   * New upstream release
   * quoting of user description field broken (Closes: #415379)
   * [INTL:pt] Portuguese translation for debconf messages (Closes:
     #414374)
Files: 
 30fb7cd5ffb833f625952566fd113dd8 631 web extra ldap-account-manager_1.3.0-1.dsc
 63f64d07f8ea86a0a84accfb91b352fb 1720014 web extra ldap-account-manager_1.3.0.orig.tar.gz
 20fc1ae223941ca5013cf68c802baf96 15954 web extra ldap-account-manager_1.3.0-1.diff.gz
 2f0890c142145da12a7e2a10dac29b3c 1667908 web extra ldap-account-manager_1.3.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGEUYoK/juK3+WFWQRAgmeAJ9SK8djvuIt405bbAwC3Cbigpot6ACeKMJ/
ocSlfTdM0p8PG+8auF+N5BE=
=1aI+
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 17:46:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:52:19 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.