XSS in cmd.php for 1.2.5

[4ndygu]

A user can set a field to an XSS payload, which triggers when the confirmation screen for whether to confirm the change is raised.

From cmd.php, say I have an attribute set to the following:

Then, say I am an admin and would like to change that field back:

When the field prompts me for a change, the payload is triggered. A user can log into user 1 and request a change, then wait for an admin to try deleting the field, which would trigger the payload for that user.

[leenooks]

Problem doesnt appear to be in 1.2.6.2 - please let me know if it is.

[setharnold]

I didn't look exhaustively but this commit appears likely to have addressed the issue:

c87571f

Do you know if a CVE has been assigned for this issue yet?

Thanks

[4ndygu]

Hi!

I don't think so -- do you know how I can go about this? I apologize for the lack of knowledge / context here. If it helps, I filed a report at https://bugs.launchpad.net/ubuntu/+source/phpldapadmin, but the ticket should be private since it's a security issue.

• Andy

[setharnold]

On Wed, Dec 02, 2020 at 01:00:07PM -0800, Andy Gu wrote: I don't think so -- do you know how I can go about this? I apologize for the lack of knowledge / context here. If it helps, I filed a report at https://bugs.launchpad.net/ubuntu/+source/phpldapadmin, but the ticket should be private since it's a security issue.

I opened the launchpad bug because all the details are public on the github issue. Because compiling all the necessary information for a CVE takes time, and because duplicate CVE assignments cost all CVE consumers time, I'd like to make sure that this doesn't already have a CVE number assigned before asking MITRE to assign one. Thanks

[4ndygu]

Cool, thanks! It seems like you confirmed it here: https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1906474. No CVE number is currently assigned.

[alexmurray]

This was assigned CVE-2020-35132 by MITRE.

[epozuelo]

@leenooks @4ndygu are you sure this is fixed in 1.2.6.2? I can still reproduce this issue with that version.

[epozuelo]

ping? I think this is unfixed, can someone double check & reopen?

[4ndygu]

@leenooks Can we take a second look at the fix if possible? I am currently indisposed and have nuked my environment but can spin it back up in a few weeks otherwise to confirm @epozuelo.

[epozuelo]

any news on this? can this issue be reopened to match its current status?

[4ndygu]

Hey @epozuelo ! I don't think I have permissions here to re-open, but @leenooks should. I wonder if it would make sense in this case to open a new issue for visibility.

[setharnold]

My suggestion is to open a new issue -- anyone can do that, it'll help reduce confusion, etc. It'd be best to include a small reproducer that can be clearly used to demonstrate when the issue has been fixed.

Thanks

[epozuelo]

I have opened #137. Please someone double check if you can also reproduce this issue with 1.2.6.2 and report there. Thanks!