[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ldap-account-manager does not escape HTML special chars



severity 415379 grave
tags 415379 + security
stop


Hi Debian security,

a user reported that LAM does not escape HTML special chars if such data
is read from LDAP and displayed in the browser. E.g. the LDAP attribute
which stores an account description could include "<", ">" and such chars.


Possible attack targets:

Admin users who manage user and group accounts with LAM. LAM only allows
a predefined list of admin users to use this application. Therefore only
these persons can be attacked.


Needed priviledges to start attack:

An attacker needs write access to the LDAP directory. This requires an
valid LDAP account and LDAP ACLs which allow this account to write data.
By default only admin users have write access. But ordinary users may
also get access to change their mail address etc.


Affected releases:

Debian stable: ldap-account-manager 0.4.9-2
Debian Etch/testing: ldap-account-manager 1.1.1-1
Debian Unstable: ldap-account-manager 1.2.0-1


I will build patches right now.


-- 

Best regards

Roland Gruber


LDAP Account Manager
http://lam.sourceforge.net

Want more? Get LDAP Account Manager Pro!
http://lam.sourceforge.net/lamPro/index.htm

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: