Debian Bug report logs - #726976
ldap-account-manager: CVE-2013-4453: Pre-Authentication Cross-Site-Scripting in current_language parameter

version graph

Package: ldap-account-manager; Maintainer for ldap-account-manager is Roland Gruber <post@rolandgruber.de>; Source for ldap-account-manager is src:ldap-account-manager.

Reported by: Eric Sesterhenn <snakebyte@gmx.de>

Date: Mon, 21 Oct 2013 06:54:02 UTC

Severity: important

Tags: patch, security

Found in versions 4.3, ldap-account-manager/3.7-2, ldap-account-manager/3.1.0-2

Fixed in version ldap-account-manager/4.4-1

Done: Roland Gruber <post@rolandgruber.de>

Bug is archived. No further changes may be made.

Forwarded to http://sourceforge.net/p/lam/bugs/156/

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#726976; Package ldap-account-manager. (Mon, 21 Oct 2013 06:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Eric Sesterhenn <snakebyte@gmx.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Gruber <post@rolandgruber.de>. (Mon, 21 Oct 2013 06:54:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Eric Sesterhenn <snakebyte@gmx.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ldap-account-manager: Pre-Authentication Cross-Site-Scripting in current_language parameter
Date: Mon, 21 Oct 2013 08:49:16 +0200
Package: ldap-account-manager
Version: 4.3
Severity: grave
Tags: security
Justification: user security hole

=== Security Advisory ===

ldap-account-manager-4.3 - PreAuth XSS
------------------------------------------------------------

Affected Version
================
ldap-account-manager-4.3, ldap-account-manager-4.2.1
and possibly others

Problem Overview
================
Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Debian / Roland Gruber
Reported by: Eric Sesterhenn <snakebyte@gmx.de>
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013001.txt
Advisory Status: Private

Problem Impact
==============
While taking a quick lock at the ldap account manager,
a XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim to post certain data
to the website.


Problem Description
===================
The file "./templates/login.php" contains an Cross-Site-Scripting
Issue on line 122. When the parameter current_language is set to
malicious input (e.g. foo%3A"><script>alert(1)</script>%3Abar)
JavaScript is executed in the victims' browser.
The parameter current_language is retrieved
from $_SESSION['language'] in line 119, which
is a copy of $_POST['language'] (line 117).


Temporary Workaround and Fix
============================
Apply the following patch to properly encode the variable:

--- templates/login.php.orig    2013-09-25 07:53:03.107208062 +0200
+++ templates/login.php 2013-09-25 07:53:20.715207533 +0200
@@ -119,7 +119,7 @@ if (isset($_POST['language'])) {
 $current_language = explode(":",$_SESSION['language']);
 $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01
Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
 $_SESSION['header'] .= "<html>\n<head>\n";
-$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html;
charset=" . $current_language[1] . "\">\n";
+$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html;
charset=" . htmlentities($current_language[1]) . "\">\n";
 $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n
<meta http-equiv=\"cache-control\" content=\"no-cache\">";

 /**


History
=======
25.09.2013 - Issue detected
20.10.2013 - Vendor notified



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#726976; Package ldap-account-manager. (Mon, 21 Oct 2013 18:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roland Gruber <post@rolandgruber.de>:
Extra info received and forwarded to list. (Mon, 21 Oct 2013 18:06:04 GMT) Full text and rfc822 format available.

Message #10 received at 726976@bugs.debian.org (full text, mbox):

From: Roland Gruber <post@rolandgruber.de>
To: Eric Sesterhenn <snakebyte@gmx.de>, 726976@bugs.debian.org
Subject: Re: Bug#726976: ldap-account-manager: Pre-Authentication Cross-Site-Scripting in current_language parameter
Date: Mon, 21 Oct 2013 19:54:52 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Eric,

thank you very much for reporting this issue.


There is a patch available now:

https://sourceforge.net/p/lam/bugs/156/#a1dc


Best regards

Roland


On 21.10.2013 08:49, Eric Sesterhenn wrote:
> Package: ldap-account-manager Version: 4.3 Severity: grave Tags:
> security Justification: user security hole
> 
> === Security Advisory ===
> 
> ldap-account-manager-4.3 - PreAuth XSS 
> ------------------------------------------------------------
> 
> Affected Version ================ ldap-account-manager-4.3,
> ldap-account-manager-4.2.1 and possibly others
> 
> Problem Overview ================ Technical Risk: medium Likelihood
> of Exploitation: medium Vendor: Debian / Roland Gruber Reported by:
> Eric Sesterhenn <snakebyte@gmx.de> Advisory updates:
> http://www.rusty-ice.de/advisory/advisory_2013001.txt Advisory
> Status: Private
> 
> Problem Impact ============== While taking a quick lock at the ldap
> account manager, a XSS issue has been found. It is possible to
> execute JavaScript in a victims' browser after tricking the victim
> to post certain data to the website.
> 
> 
> Problem Description =================== The file
> "./templates/login.php" contains an Cross-Site-Scripting Issue on
> line 122. When the parameter current_language is set to malicious
> input (e.g. foo%3A"><script>alert(1)</script>%3Abar) JavaScript is
> executed in the victims' browser. The parameter current_language is
> retrieved from $_SESSION['language'] in line 119, which is a copy
> of $_POST['language'] (line 117).
> 
> 
> Temporary Workaround and Fix ============================ Apply the
> following patch to properly encode the variable:
> 
> --- templates/login.php.orig    2013-09-25 07:53:03.107208062
> +0200 +++ templates/login.php 2013-09-25 07:53:20.715207533 +0200 
> @@ -119,7 +119,7 @@ if (isset($_POST['language'])) { 
> $current_language = explode(":",$_SESSION['language']); 
> $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
> 4.01 Transitional//EN\"
> \"http://www.w3.org/TR/html4/loose.dtd\">\n\n"; $_SESSION['header']
> .= "<html>\n<head>\n"; -$_SESSION['header'] .= "<meta
> http-equiv=\"content-type\" content=\"text/html; charset=" .
> $current_language[1] . "\">\n"; +$_SESSION['header'] .= "<meta
> http-equiv=\"content-type\" content=\"text/html; charset=" .
> htmlentities($current_language[1]) . "\">\n"; $_SESSION['header']
> .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta
> http-equiv=\"cache-control\" content=\"no-cache\">";
> 
> /**
> 
> 
> History ======= 25.09.2013 - Issue detected 20.10.2013 - Vendor
> notified
> 
> 
> 
> -- System Information: Debian Release: jessie/sid APT prefers
> testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) 
> Foreign Architectures: i386
> 
> Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale:
> LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell:
> /bin/sh linked to /bin/dash
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iEYEARECAAYFAlJlamcACgkQq/ywNCsrGZ58SgCfUFOWSltgfgJrzMO8CsDHRwKS
ougAn3jeIxe3PsswAWNaPQCcFhDjDuPL
=Zxx1
-----END PGP SIGNATURE-----



Added tag(s) patch. Request was from Roland Gruber <post@rolandgruber.de> to control@bugs.debian.org. (Mon, 21 Oct 2013 18:45:04 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'http://sourceforge.net/p/lam/bugs/156/'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 21 Oct 2013 21:18:07 GMT) Full text and rfc822 format available.

Marked as found in versions ldap-account-manager/3.1.0-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 21 Oct 2013 21:27:05 GMT) Full text and rfc822 format available.

Marked as found in versions ldap-account-manager/3.7-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 21 Oct 2013 21:27:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#726976; Package ldap-account-manager. (Tue, 22 Oct 2013 05:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Gruber <post@rolandgruber.de>. (Tue, 22 Oct 2013 05:51:04 GMT) Full text and rfc822 format available.

Message #23 received at 726976@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 726976@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#726976: ldap-account-manager: Pre-Authentication Cross-Site-Scripting in current_language parameter
Date: Tue, 22 Oct 2013 07:47:28 +0200
severity 726976 important
thanks

Hi

As the attack vector includes that malicious data via POST I think
it's safe to downgrade the severity to important.

p.s.: I have requested a CVE for this issue on the oss-security list.

Regards
Salvatore



Severity set to 'important' from 'grave' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 22 Oct 2013 05:51:07 GMT) Full text and rfc822 format available.

Changed Bug title to 'ldap-account-manager: CVE-2013-4453: Pre-Authentication Cross-Site-Scripting in current_language parameter' from 'ldap-account-manager: Pre-Authentication Cross-Site-Scripting in current_language parameter' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 22 Oct 2013 05:57:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#726976; Package ldap-account-manager. (Tue, 22 Oct 2013 07:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Eric Sesterhenn <snakebyte@gmx.de>:
Extra info received and forwarded to list. Copy sent to Roland Gruber <post@rolandgruber.de>. (Tue, 22 Oct 2013 07:03:04 GMT) Full text and rfc822 format available.

Message #32 received at 726976@bugs.debian.org (full text, mbox):

From: Eric Sesterhenn <snakebyte@gmx.de>
To: Roland Gruber <post@rolandgruber.de>
Cc: 726976@bugs.debian.org
Subject: Re: Bug#726976: ldap-account-manager: Pre-Authentication Cross-Site-Scripting in current_language parameter
Date: Tue, 22 Oct 2013 08:58:00 +0200
Hello Roland,

* Roland Gruber (post@rolandgruber.de) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Eric,
> 
> thank you very much for reporting this issue.
> 
> 
> There is a patch available now:
> 
> https://sourceforge.net/p/lam/bugs/156/#a1dc

thanks for the quick reply. The patch looks good to me, even if this
issue is still exploitable with a malicious cookie (but I dont see a way
to place such data into a cookie for an attacker).

To nitpick, the description "E.g. it is not sufficient to click on a link."
is not correct, if the victim clicks on a link to a different
web-site, which contains a web form and JavaScript to submit this form automatically
this can be exploited without requiring more user interaction.

Regards, Eric
 
> Best regards
> 
> Roland
> 
> 
> On 21.10.2013 08:49, Eric Sesterhenn wrote:
> > Package: ldap-account-manager Version: 4.3 Severity: grave Tags:
> > security Justification: user security hole
> > 
> > === Security Advisory ===
> > 
> > ldap-account-manager-4.3 - PreAuth XSS 
> > ------------------------------------------------------------
> > 
> > Affected Version ================ ldap-account-manager-4.3,
> > ldap-account-manager-4.2.1 and possibly others
> > 
> > Problem Overview ================ Technical Risk: medium Likelihood
> > of Exploitation: medium Vendor: Debian / Roland Gruber Reported by:
> > Eric Sesterhenn <snakebyte@gmx.de> Advisory updates:
> > http://www.rusty-ice.de/advisory/advisory_2013001.txt Advisory
> > Status: Private
> > 
> > Problem Impact ============== While taking a quick lock at the ldap
> > account manager, a XSS issue has been found. It is possible to
> > execute JavaScript in a victims' browser after tricking the victim
> > to post certain data to the website.
> > 
> > 
> > Problem Description =================== The file
> > "./templates/login.php" contains an Cross-Site-Scripting Issue on
> > line 122. When the parameter current_language is set to malicious
> > input (e.g. foo%3A"><script>alert(1)</script>%3Abar) JavaScript is
> > executed in the victims' browser. The parameter current_language is
> > retrieved from $_SESSION['language'] in line 119, which is a copy
> > of $_POST['language'] (line 117).
> > 
> > 
> > Temporary Workaround and Fix ============================ Apply the
> > following patch to properly encode the variable:
> > 
> > --- templates/login.php.orig    2013-09-25 07:53:03.107208062
> > +0200 +++ templates/login.php 2013-09-25 07:53:20.715207533 +0200 
> > @@ -119,7 +119,7 @@ if (isset($_POST['language'])) { 
> > $current_language = explode(":",$_SESSION['language']); 
> > $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
> > 4.01 Transitional//EN\"
> > \"http://www.w3.org/TR/html4/loose.dtd\">\n\n"; $_SESSION['header']
> > .= "<html>\n<head>\n"; -$_SESSION['header'] .= "<meta
> > http-equiv=\"content-type\" content=\"text/html; charset=" .
> > $current_language[1] . "\">\n"; +$_SESSION['header'] .= "<meta
> > http-equiv=\"content-type\" content=\"text/html; charset=" .
> > htmlentities($current_language[1]) . "\">\n"; $_SESSION['header']
> > .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta
> > http-equiv=\"cache-control\" content=\"no-cache\">";
> > 
> > /**
> > 
> > 
> > History ======= 25.09.2013 - Issue detected 20.10.2013 - Vendor
> > notified
> > 
> > 
> > 
> > -- System Information: Debian Release: jessie/sid APT prefers
> > testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) 
> > Foreign Architectures: i386
> > 
> > Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale:
> > LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell:
> > /bin/sh linked to /bin/dash
> > 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Icedove - http://www.enigmail.net/
> 
> iEYEARECAAYFAlJlamcACgkQq/ywNCsrGZ58SgCfUFOWSltgfgJrzMO8CsDHRwKS
> ougAn3jeIxe3PsswAWNaPQCcFhDjDuPL
> =Zxx1
> -----END PGP SIGNATURE-----



Reply sent to Roland Gruber <post@rolandgruber.de>:
You have taken responsibility. (Thu, 19 Dec 2013 09:51:23 GMT) Full text and rfc822 format available.

Notification sent to Eric Sesterhenn <snakebyte@gmx.de>:
Bug acknowledged by developer. (Thu, 19 Dec 2013 09:51:23 GMT) Full text and rfc822 format available.

Message #37 received at 726976-close@bugs.debian.org (full text, mbox):

From: Roland Gruber <post@rolandgruber.de>
To: 726976-close@bugs.debian.org
Subject: Bug#726976: fixed in ldap-account-manager 4.4-1
Date: Thu, 19 Dec 2013 09:49:53 +0000
Source: ldap-account-manager
Source-Version: 4.4-1

We believe that the bug you reported is fixed in the latest version of
ldap-account-manager, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 726976@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Gruber <post@rolandgruber.de> (supplier of updated ldap-account-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 18 Dec 2013 17:47:35 +0200
Source: ldap-account-manager
Binary: ldap-account-manager ldap-account-manager-lamdaemon
Architecture: source all
Version: 4.4-1
Distribution: unstable
Urgency: low
Maintainer: Roland Gruber <post@rolandgruber.de>
Changed-By: Roland Gruber <post@rolandgruber.de>
Description: 
 ldap-account-manager - webfrontend for managing accounts in an LDAP directory
 ldap-account-manager-lamdaemon - Quota and home directory management for LDAP Account Manager
Closes: 726976
Changes: 
 ldap-account-manager (4.4-1) unstable; urgency=low
 .
   * Fix "Pre-Authentication Cross-Site-Scripting in current_language
     parameter" by updating templates/login.php (Closes: #726976)
   * new upstream release
Checksums-Sha1: 
 2409319d96919c8668ba977285830cc76c3fde00 1262 ldap-account-manager_4.4-1.dsc
 de6aa0af1ae0d54962f1c4920273c20f78608725 13557991 ldap-account-manager_4.4.orig.tar.bz2
 952f5b17b012880ba9d551d60efd314e97385b26 23315 ldap-account-manager_4.4-1.debian.tar.gz
 386c7c9a919cb32d778a0ef21afd1b883d0f8304 12412208 ldap-account-manager_4.4-1_all.deb
 58b7f78013a409a42074f650c43b5520fbf94636 20594 ldap-account-manager-lamdaemon_4.4-1_all.deb
Checksums-Sha256: 
 a99f895c6f7c392b1f6ca8e31ef5bc09a0660f11e2dfc348958072bcab941b07 1262 ldap-account-manager_4.4-1.dsc
 990b963a98a7a6ee1e15072010b7da3a11535e205c4c5c6724676dc2deb44789 13557991 ldap-account-manager_4.4.orig.tar.bz2
 0659b72a2c13bcab1bfd3707361fafdc3a121edbdf689a77e3cbaa62d06edd02 23315 ldap-account-manager_4.4-1.debian.tar.gz
 5d39ade22bc8182945db96d69596d9feb60b66a95d012940410bf57aeb73879d 12412208 ldap-account-manager_4.4-1_all.deb
 a3be77403faf92cbd8fea6981ebe06e15c0559d7ea8bb7e5fc708a9ff8845b6d 20594 ldap-account-manager-lamdaemon_4.4-1_all.deb
Files: 
 c92b8acef40f78327fac36ddec0ac894 1262 web extra ldap-account-manager_4.4-1.dsc
 7ed89d9fd935ae44fa7236b06a255550 13557991 web extra ldap-account-manager_4.4.orig.tar.bz2
 0ea10b52816d428dd449df424111e68c 23315 web extra ldap-account-manager_4.4-1.debian.tar.gz
 9fab556f36ab5cb40dd2c16fcf00aa0d 12412208 web extra ldap-account-manager_4.4-1_all.deb
 34112d8499ebe51efb3c56c0b61cd0de 20594 web extra ldap-account-manager-lamdaemon_4.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlKyuy4ACgkQK/juK3+WFWRRGgCeO73SCLOBUdomvRP4go+br59o
OqEAnjEwpjeAY2+d+zfDoS1pMGR/VITd
=soMD
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 27 Jan 2014 07:35:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:06:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.