[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ldap-account-manager

CVE-2018-8763: untrusted paramaters not sanitised

Upstream patches apply automatically to wheezy version without any
errors, except for the patch for masscreate.php which doesn't appear to
exist.

CVE-2018-8764: CSRF token passed in URL

I believe the Wheezy version - same as for Jessy - doesn't have CSRF
support. So I intend to mark this as not-affected. Although the absence
of CSRF support is probably a bigger issue then CSRF tokens in URLs, but
beyond the scope of wheezy LTS support.

Attached is my debdiff.
-- 
Brian May <bam@debian.org>

diff -Nru ldap-account-manager-3.7/debian/changelog ldap-account-manager-3.7/debian/changelog
--- ldap-account-manager-3.7/debian/changelog	2012-06-10 22:18:16.000000000 +1000
+++ ldap-account-manager-3.7/debian/changelog	2018-04-04 17:12:54.000000000 +1000
@@ -1,3 +1,10 @@
+ldap-account-manager (3.7-2+deb7u1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS.
+  * Fix CVE-2018-8763: XSS attacks via untrusted parameters.
+
+ -- Brian May <bam@debian.org>  Wed, 04 Apr 2018 17:12:54 +1000
+
 ldap-account-manager (3.7-2) unstable; urgency=low
 
   * Fix "[INTL:pl] Polish debconf translation" (Closes: #667086)
diff -Nru ldap-account-manager-3.7/debian/patches/0001-CVE-2018-8763.patch ldap-account-manager-3.7/debian/patches/0001-CVE-2018-8763.patch
--- ldap-account-manager-3.7/debian/patches/0001-CVE-2018-8763.patch	1970-01-01 10:00:00.000000000 +1000
+++ ldap-account-manager-3.7/debian/patches/0001-CVE-2018-8763.patch	2018-04-04 17:09:19.000000000 +1000
@@ -0,0 +1,388 @@
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Wed, 4 Apr 2018 17:02:29 +1000
+Subject: CVE-2018-8763
+
+Origin: https://github.com/LDAPAccountManager/lam/commit/f1d7aec5fc4aaf516e1d8a6f0eb3082050553302
+Origin: https://github.com/LDAPAccountManager/lam/commit/16fc7f7e8603c5cb7c129cfbf97fc572b9b8740c
+---
+ templates/3rdParty/pla/htdocs/add_attr_form.php        | 4 ++--
+ templates/3rdParty/pla/htdocs/add_oclass_form.php      | 4 ++--
+ templates/3rdParty/pla/htdocs/add_value_form.php       | 4 ++--
+ templates/3rdParty/pla/htdocs/compare.php              | 4 ++--
+ templates/3rdParty/pla/htdocs/compare_form.php         | 6 +++---
+ templates/3rdParty/pla/htdocs/copy.php                 | 4 ++--
+ templates/3rdParty/pla/htdocs/copy_form.php            | 6 +++---
+ templates/3rdParty/pla/htdocs/delete.php               | 6 +++---
+ templates/3rdParty/pla/htdocs/delete_attr.php          | 2 +-
+ templates/3rdParty/pla/htdocs/delete_form.php          | 8 ++++----
+ templates/3rdParty/pla/htdocs/download_binary_attr.php | 4 ++--
+ templates/3rdParty/pla/htdocs/modify_member_form.php   | 2 +-
+ templates/3rdParty/pla/htdocs/rdelete.php              | 2 +-
+ templates/3rdParty/pla/htdocs/rename_form.php          | 8 ++++----
+ templates/3rdParty/pla/htdocs/template_engine.php      | 4 ++--
+ templates/3rdParty/pla/htdocs/update.php               | 2 +-
+ templates/3rdParty/pla/htdocs/update_confirm.php       | 2 +-
+ templates/3rdParty/pla/htdocs/view_jpeg_photo.php      | 2 +-
+ 18 files changed, 37 insertions(+), 37 deletions(-)
+
+diff --git a/templates/3rdParty/pla/htdocs/add_attr_form.php b/templates/3rdParty/pla/htdocs/add_attr_form.php
+index a0a2996..d12ea18 100644
+--- a/templates/3rdParty/pla/htdocs/add_attr_form.php
++++ b/templates/3rdParty/pla/htdocs/add_attr_form.php
+@@ -17,7 +17,7 @@ $request['dn'] = get_request('dn','GET');
+ 
+ # Check if the entry exists.
+ if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
+-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
++	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
+ 
+ $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null));
+ $request['page']->setDN($request['dn']);
+@@ -100,7 +100,7 @@ if (get_request('meth','REQUEST') != 'ajax') {
+ 					echo '<input type="hidden" name="cmd" value="update" />';
+ 
+ 				printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
+-				printf('<input type="hidden" name="dn" value="%s" />',$request['dn']);
++				printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($request['dn']));
+ 				echo '<input type="hidden" name="binary" value="true" />';
+ 
+ 				echo '<select name="single_item_attr">';
+diff --git a/templates/3rdParty/pla/htdocs/add_oclass_form.php b/templates/3rdParty/pla/htdocs/add_oclass_form.php
+index 87d61c5..72de0eb 100644
+--- a/templates/3rdParty/pla/htdocs/add_oclass_form.php
++++ b/templates/3rdParty/pla/htdocs/add_oclass_form.php
+@@ -21,7 +21,7 @@ $request['dn'] = get_request('dn','REQUEST',true);
+ 
+ # Check if the entry exists.
+ if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
+-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
++	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
+ 
+ $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null));
+ $request['page']->setDN($request['dn']);
+@@ -57,7 +57,7 @@ foreach ($ldap['attrs']['need'] as $index => $values)
+ 	$ldap['attrs']['need'][$index]->show();
+ 
+ if (count($ldap['attrs']['need']) > 0) {
+-	$request['page']->drawTitle(sprintf(_('Add new object class to <b>%s</b>'),get_rdn($request['dn'])));
++	$request['page']->drawTitle(sprintf(_('Add new object class to <b>%s</b>'),htmlspecialchars(get_rdn($request['dn']))));
+ 	$request['page']->drawSubTitle();
+ 
+ 	echo '<div style="text-align: center">';
+diff --git a/templates/3rdParty/pla/htdocs/add_value_form.php b/templates/3rdParty/pla/htdocs/add_value_form.php
+index 66d9757..d675a6f 100644
+--- a/templates/3rdParty/pla/htdocs/add_value_form.php
++++ b/templates/3rdParty/pla/htdocs/add_value_form.php
+@@ -19,7 +19,7 @@ $request['attr'] = get_request('attr','GET',true);
+ 
+ # Check if the entry exists.
+ if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
+-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
++	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
+ 
+ $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null));
+ $request['page']->setDN($request['dn']);
+@@ -105,7 +105,7 @@ if (! strcasecmp($request['attr'],'objectclass') || get_request('meth','REQUEST'
+ 		foreach ($socs as $name => $oclass) {
+ 			# Exclude any structural ones, that are not in the heirachy, as they'll only generate an LDAP_OBJECT_CLASS_VIOLATION
+ 			if (($oclass->getType() == 'structural') && ! $oclass->isRelated($request['attribute']->getValues()))
+-				continue; 
++				continue;
+ 
+ 			printf('<option value="%s">%s</option>',$oclass->getName(false),$oclass->getName(false));
+ 		}
+diff --git a/templates/3rdParty/pla/htdocs/compare.php b/templates/3rdParty/pla/htdocs/compare.php
+index ec204e1..dc0e53d 100644
+--- a/templates/3rdParty/pla/htdocs/compare.php
++++ b/templates/3rdParty/pla/htdocs/compare.php
+@@ -21,10 +21,10 @@ $ldap['SRC'] = $_SESSION[APPCONFIG]->getServer(get_request('server_id_src'));
+ $ldap['DST'] = $_SESSION[APPCONFIG]->getServer(get_request('server_id_dst'));
+ 
+ if (! $ldap['SRC']->dnExists($request['dnSRC']))
+-	error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn($request['dnSRC'])),'error','index.php');
++	error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn(htmlspecialchars($request['dnSRC']))),'error','index.php');
+ 
+ if (! $ldap['DST']->dnExists($request['dnDST']))
+-	error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn($request['dnDST'])),'error','index.php');
++	error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn(htmlspecialchars($request['dnDST']))),'error','index.php');
+ 
+ $request['pageSRC'] = new PageRender($ldap['SRC']->getIndex(),get_request('template','REQUEST',false,'none'));
+ $request['pageSRC']->setDN($request['dnSRC']);
+diff --git a/templates/3rdParty/pla/htdocs/compare_form.php b/templates/3rdParty/pla/htdocs/compare_form.php
+index e519c96..53894d7 100644
+--- a/templates/3rdParty/pla/htdocs/compare_form.php
++++ b/templates/3rdParty/pla/htdocs/compare_form.php
+@@ -18,19 +18,19 @@ $request['dn'] = get_request('dn','GET');
+ 
+ # Check if the entry exists.
+ if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
+-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
++	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
+ 
+ $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
+ $request['page']->setDN($request['dn']);
+ $request['page']->accept();
+ 
+ # Render the form
+-$request['page']->drawTitle(sprintf(_('Compare another DN with <b>%s</b>'),get_rdn($request['dn'])));
++$request['page']->drawTitle(sprintf(_('Compare another DN with <b>%s</b>'),htmlspecialchars(get_rdn($request['dn']))));
+ $request['page']->drawSubTitle();
+ 
+ printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR);
+ echo '<div style="text-align: center;">';
+-printf('%s <b>%s</b> %s<br />',_('Compare'),get_rdn($request['dn']),_('with '));
++printf('%s <b>%s</b> %s<br />',_('Compare'),htmlspecialchars(get_rdn($request['dn'])),_('with '));
+ echo '</div>';
+ 
+ echo '<form action="cmd.php" method="post" id="compare_form">';
+diff --git a/templates/3rdParty/pla/htdocs/copy.php b/templates/3rdParty/pla/htdocs/copy.php
+index ba83507..926c436 100644
+--- a/templates/3rdParty/pla/htdocs/copy.php
++++ b/templates/3rdParty/pla/htdocs/copy.php
+@@ -28,11 +28,11 @@ if ($ldap['DST']->isReadOnly())
+ 	error(('Destination server is currently READ-ONLY.'),'error','index.php');
+ 
+ if ($ldap['DST']->dnExists($request['dnDST']))
+-	error(sprintf(_('The destination entry (%s) already exists.'),pretty_print_dn($request['dnDST'])),'error','index.php');
++	error(sprintf(_('The destination entry (%s) already exists.'),pretty_print_dn(htmlspecialchars($request['dnDST']))),'error','index.php');
+ 
+ if (! $ldap['DST']->dnExists($ldap['DST']->getContainer($request['dnDST'])))
+ 	error(sprintf(_('The container you specified (%s) does not exist. Please try again.'),
+-		pretty_print_dn($ldap['DST']->getContainer($request['dnDST']))),'error','index.php');
++		pretty_print_dn(htmlspecialchars($ldap['DST']->getContainer($request['dnDST'])))),'error','index.php');
+ 
+ if (pla_compare_dns($request['dnSRC'],$request['dnDST']) == 0 && $ldap['SRC']->getIndex() == $ldap['DST']->getIndex())
+ 	error(_('The source and destination DN are the same.'),'error','index.php');
+diff --git a/templates/3rdParty/pla/htdocs/copy_form.php b/templates/3rdParty/pla/htdocs/copy_form.php
+index cc77429..cca4966 100644
+--- a/templates/3rdParty/pla/htdocs/copy_form.php
++++ b/templates/3rdParty/pla/htdocs/copy_form.php
+@@ -17,19 +17,19 @@ $request['dn'] = get_request('dn','GET');
+ 
+ # Check if the entry exists.
+ if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
+-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
++	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
+ 
+ $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
+ $request['page']->setDN($request['dn']);
+ $request['page']->accept();
+ 
+ # Render the form
+-$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Copy'),get_rdn($request['dn'])));
++$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Copy'),htmlspecialchars(get_rdn($request['dn']))));
+ $request['page']->drawSubTitle();
+ 
+ printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR);
+ echo '<div style="text-align: center;">';
+-printf(_('Copy <b>%s</b> to a new object.') . '<br /><br />',get_rdn($request['dn']));
++printf(_('Copy <b>%s</b> to a new object.') . '<br /><br />',htmlspecialchars(get_rdn($request['dn'])));
+ echo '</div>';
+ 
+ echo '<form action="cmd.php" method="post" id="copy_form">';
+diff --git a/templates/3rdParty/pla/htdocs/delete.php b/templates/3rdParty/pla/htdocs/delete.php
+index 73d7f7f..32d8ac1 100644
+--- a/templates/3rdParty/pla/htdocs/delete.php
++++ b/templates/3rdParty/pla/htdocs/delete.php
+@@ -16,7 +16,7 @@ $request = array();
+ $request['dn'] = get_request('dn','REQUEST',true);
+ 
+ if (! $app['server']->dnExists($request['dn']))
+-	error(sprintf('%s (%s)',_('No such entry.'),'<b>'.pretty_print_dn($request['dn']).'</b>'),'error','index.php');
++	error(sprintf('%s (%s)',_('No such entry.'),'<b>'.pretty_print_dn(htmlspecialchars($request['dn'])).'</b>'),'error','index.php');
+ 
+ # Delete the entry.
+ $result = $app['server']->delete($request['dn']);
+@@ -29,12 +29,12 @@ if ($result) {
+ 
+ 	system_message(array(
+ 		'title'=>_('Delete DN'),
+-		'body'=>sprintf('<b>' . _('Successfully deleted DN %s') . '</b>',$request['dn']),
++		'body'=>sprintf('<b>' . _('Successfully deleted DN %s') . '</b>',htmlspecialchars($request['dn'])),
+ 		'type'=>'info'),
+ 		sprintf('index.php?server_id=%s%s',$app['server']->getIndex(),$redirect_url));
+ } else
+ 	system_message(array(
+-		'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn($request['dn'])),
++		'title'=>_('Could not delete the entry.').sprintf(' (%s)',htmlspecialchars(pretty_print_dn($request['dn']))),
+ 		'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)),
+ 		'type'=>'error'));
+ ?>
+diff --git a/templates/3rdParty/pla/htdocs/delete_attr.php b/templates/3rdParty/pla/htdocs/delete_attr.php
+index c33c5e7..c6bf159 100644
+--- a/templates/3rdParty/pla/htdocs/delete_attr.php
++++ b/templates/3rdParty/pla/htdocs/delete_attr.php
+@@ -17,7 +17,7 @@ $request['attr'] = get_request('attr','REQUEST',true);
+ $request['index'] = get_request('index','REQUEST',true);
+ 
+ if ($app['server']->isAttrReadOnly($request['attr']))
+-	error(sprintf(('The attribute "%s" is flagged as read-only in the phpLDAPadmin configuration.'),$request['attr']),'error','index.php');
++	error(sprintf(('The attribute "%s" is flagged as read-only in the phpLDAPadmin configuration.'),htmlspecialchars($request['attr'])),'error','index.php');
+ 
+ $update_array = array();
+ $update_array[$request['attr']] = $app['server']->getDNAttrValue($request['dn'],$request['attr']);
+diff --git a/templates/3rdParty/pla/htdocs/delete_form.php b/templates/3rdParty/pla/htdocs/delete_form.php
+index e3be638..a4d1767 100644
+--- a/templates/3rdParty/pla/htdocs/delete_form.php
++++ b/templates/3rdParty/pla/htdocs/delete_form.php
+@@ -24,15 +24,15 @@ $request['template'] = $request['page']->getTemplate();
+ if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
+ 	system_message(array(
+ 		'title'=>_('Entry does not exist'),
+-		'body'=>sprintf(_('The entry (%s) does not exist.'),$request['dn']),
++		'body'=>sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),
+ 		'type'=>'error'),'index.php');
+ 
+ # We search all children, not only the visible children in the tree
+ $request['children'] = $app['server']->getContainerContents($request['dn'],null,0,'(objectClass=*)',LDAP_DEREF_NEVER);
+ 
+-printf('<h3 class="title">%s %s</h3>',_('Delete'),htmlspecialchars(get_rdn($request['dn'])));
++printf('<h3 class="title">%s %s</h3>',_('Delete'),htmlspecialchars(htmlspecialchars(get_rdn($request['dn']))));
+ printf('<h3 class="subtitle">%s: <b>%s</b></h3>',
+-	_('DN'),$request['dn']);
++	_('DN'),htmlspecialchars($request['dn']));
+ echo "\n";
+ 
+ echo '<center>';
+@@ -109,7 +109,7 @@ if (count($request['children'])) {
+ 
+ 	printf('<tr><td style="width: 10%%;">%s:</td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>',_('Server'),$app['server']->getName());
+ 	printf('<tr><td style="width: 10%%;"><acronym title="%s">%s</acronym></td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>',
+-		_('DN'),_('DN'),$request['dn']);
++		_('DN'),_('DN'),htmlspecialchars($request['dn']));
+ 	echo '<tr><td colspan="4">&nbsp;</td></tr>';
+ 	echo "\n";
+ 
+diff --git a/templates/3rdParty/pla/htdocs/download_binary_attr.php b/templates/3rdParty/pla/htdocs/download_binary_attr.php
+index 251f2de..1338ba3 100644
+--- a/templates/3rdParty/pla/htdocs/download_binary_attr.php
++++ b/templates/3rdParty/pla/htdocs/download_binary_attr.php
+@@ -21,13 +21,13 @@ $request['type'] = get_request('type','GET',false,'octet-stream');
+ $request['filename'] = get_request('filename','GET',false,sprintf('%s:%s.bin',get_rdn($request['dn'],true),$request['attr']));
+ 
+ if (! $app['server']->dnExists($request['dn']))
+-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
++	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
+ 
+ $search = $app['server']->getDNAttrValues($request['dn'],null,LDAP_DEREF_NEVER,array($request['attr']));
+ 
+ # Dump the binary data to the browser
+ $obStatus = ob_get_status();
+-if (isset($obStatus['type']) && $obStatus['type'] && $obStatus['status']) 
++if (isset($obStatus['type']) && $obStatus['type'] && $obStatus['status'])
+ 	ob_end_clean();
+ 
+ if (! isset($search[$request['attr']][$request['index']])) {
+diff --git a/templates/3rdParty/pla/htdocs/modify_member_form.php b/templates/3rdParty/pla/htdocs/modify_member_form.php
+index 213a0e7..9385cc3 100644
+--- a/templates/3rdParty/pla/htdocs/modify_member_form.php
++++ b/templates/3rdParty/pla/htdocs/modify_member_form.php
+@@ -54,7 +54,7 @@ foreach ($app['server']->getBaseDN() as $base) {
+ 
+ usort($possible_values,'pla_compare_dns');
+ 
+-$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Modify group'),get_rdn($request['dn'])));
++$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Modify group'),htmlspecialchars(get_rdn($request['dn']))));
+ $request['page']->drawSubTitle();
+ 
+ printf(_('There are <b>%s</b> members in group <b>%s</b>:'),
+diff --git a/templates/3rdParty/pla/htdocs/rdelete.php b/templates/3rdParty/pla/htdocs/rdelete.php
+index 5a40a5c..0aec2ac 100644
+--- a/templates/3rdParty/pla/htdocs/rdelete.php
++++ b/templates/3rdParty/pla/htdocs/rdelete.php
+@@ -44,7 +44,7 @@ foreach ($request['parent'] as $dn) {
+ 
+ 	} else {
+ 		system_message(array(
+-			'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn($request['dn'])),
++			'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn(htmlspecialchars($request['dn']))),
+ 			'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)),
+ 			'type'=>'error'));
+ 	}
+diff --git a/templates/3rdParty/pla/htdocs/rename_form.php b/templates/3rdParty/pla/htdocs/rename_form.php
+index 8ed78c1..9c8767d 100644
+--- a/templates/3rdParty/pla/htdocs/rename_form.php
++++ b/templates/3rdParty/pla/htdocs/rename_form.php
+@@ -21,17 +21,17 @@ $request['page']->setDN($request['dn']);
+ $request['page']->accept();
+ 
+ # Render the form
+-$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Rename'),get_rdn($request['dn'])));
++$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Rename'),htmlspecialchars(get_rdn($request['dn']))));
+ $request['page']->drawSubTitle();
+ 
+ echo '<center>';
+-printf(_('Rename <b>%s</b> to a new object.') . '<br /><br />',get_rdn($request['dn']));
++printf(_('Rename <b>%s</b> to a new object.') . '<br /><br />',htmlspecialchars(get_rdn($request['dn'])));
+ 
+ echo '<form action="cmd.php?cmd=rename" method="post" />';
+ printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
+ printf('<input type="hidden" name="dn" value="%s" />',rawurlencode($request['dn']));
+-printf('<input type="hidden" name="template" value="%s" />',$request['template']);
+-printf('<input type="text" name="new_rdn" size="30" value="%s" />',get_rdn($request['dn']));
++printf('<input type="hidden" name="template" value="%s" />',htmlspecialchars($request['template']));
++printf('<input type="text" name="new_rdn" size="30" value="%s" />',htmlspecialchars(get_rdn($request['dn'])));
+ printf('<input type="submit" value="%s" />',_('Rename'));
+ echo '</form>';
+ 
+diff --git a/templates/3rdParty/pla/htdocs/template_engine.php b/templates/3rdParty/pla/htdocs/template_engine.php
+index 1cfaba9..224a52d 100644
+--- a/templates/3rdParty/pla/htdocs/template_engine.php
++++ b/templates/3rdParty/pla/htdocs/template_engine.php
+@@ -12,7 +12,7 @@ The template engine has the following responsibilities:
+ * If we are passed a DN, then we are editing an existing entry
+ * If we are not passed a DN, then we are passed a container (and creating a new entry in that container)
+ 
+-In both cases, we are optionally passed a template ID. 
++In both cases, we are optionally passed a template ID.
+ * If we have a template ID, then we'll render the creation/editing using that template
+ * If we are not passed a template ID, then we'll either:
+ 	* Present a list of available templates,
+@@ -42,7 +42,7 @@ $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('te
+ # If we have a DN, then this is to edit the entry.
+ if ($request['dn']) {
+ 	$app['server']->dnExists($request['dn'])
+-		or error(sprintf('%s (%s)',_('No such entry'),pretty_print_dn($request['dn'])),'error','index.php');
++		or error(sprintf('%s (%s)',_('No such entry'),pretty_print_dn(htmlspecialchars($request['dn']))),'error','index.php');
+ 
+ 	$request['page']->setDN($request['dn']);
+ 	$request['page']->accept();
+diff --git a/templates/3rdParty/pla/htdocs/update.php b/templates/3rdParty/pla/htdocs/update.php
+index 5f31f28..fafda95 100644
+--- a/templates/3rdParty/pla/htdocs/update.php
++++ b/templates/3rdParty/pla/htdocs/update.php
+@@ -24,7 +24,7 @@ if (get_request('cancel','REQUEST')) {
+ }
+ 
+ if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
+-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
++	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
+ 
+ $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
+ $request['page']->setDN($request['dn']);
+diff --git a/templates/3rdParty/pla/htdocs/update_confirm.php b/templates/3rdParty/pla/htdocs/update_confirm.php
+index 69735e2..6e91fa8 100644
+--- a/templates/3rdParty/pla/htdocs/update_confirm.php
++++ b/templates/3rdParty/pla/htdocs/update_confirm.php
+@@ -20,7 +20,7 @@ $request = array();
+ $request['dn'] = get_request('dn','REQUEST',true);
+ 
+ if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
+-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
++	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
+ 
+ $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
+ $request['page']->setDN($request['dn']);
+diff --git a/templates/3rdParty/pla/htdocs/view_jpeg_photo.php b/templates/3rdParty/pla/htdocs/view_jpeg_photo.php
+index d52501c..372ab5b 100644
+--- a/templates/3rdParty/pla/htdocs/view_jpeg_photo.php
++++ b/templates/3rdParty/pla/htdocs/view_jpeg_photo.php
+@@ -18,7 +18,7 @@ $request['dn'] = get_request('dn','GET');
+ $request['attr'] = strtolower(get_request('attr','GET',false,'jpegphoto'));
+ $request['index'] = get_request('index','GET',false,0);
+ $request['type'] = get_request('type','GET',false,'image/jpeg');
+-$request['filename'] = get_request('filename','GET',false,sprintf('%s.jpg',get_rdn($request['dn'],true)));
++$request['filename'] = get_request('filename','GET',false,sprintf('%s.jpg',htmlspecialchars(get_rdn($request['dn'],true))));
+ $request['location'] = get_request('location','GET',false,'ldap');
+ 
+ switch ($request['location']) {
diff -Nru ldap-account-manager-3.7/debian/patches/series ldap-account-manager-3.7/debian/patches/series
--- ldap-account-manager-3.7/debian/patches/series	1970-01-01 10:00:00.000000000 +1000
+++ ldap-account-manager-3.7/debian/patches/series	2018-04-04 17:09:19.000000000 +1000
@@ -0,0 +1 @@
+0001-CVE-2018-8763.patch
Reply to: