[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ldap-account-manager does not escape HTML special chars

severity 415379 grave
tags 415379 + security

Hi Debian security,

a user reported that LAM does not escape HTML special chars if such data
is read from LDAP and displayed in the browser. E.g. the LDAP attribute
which stores an account description could include "<", ">" and such chars.

Possible attack targets:

Admin users who manage user and group accounts with LAM. LAM only allows
a predefined list of admin users to use this application. Therefore only
these persons can be attacked.

Needed priviledges to start attack:

An attacker needs write access to the LDAP directory. This requires an
valid LDAP account and LDAP ACLs which allow this account to write data.
By default only admin users have write access. But ordinary users may
also get access to change their mail address etc.

Affected releases:

Debian stable: ldap-account-manager 0.4.9-2
Debian Etch/testing: ldap-account-manager 1.1.1-1
Debian Unstable: ldap-account-manager 1.2.0-1

I will build patches right now.


Best regards

Roland Gruber

LDAP Account Manager

Want more? Get LDAP Account Manager Pro!

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: