Full_Name: Yann CAM Version: OS: URL: http://www.openldap.org/its/ Submission from: (NULL) (2a01:e34:edbf:a5d0:845:664b:ce80:cf7b) I'm contacting you to inform you about the presence of a Reflected XSS vulnerability on the www.openldap.org main domain. Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake OpenLdap pages, or capture users data. This reflected XSS is on GET "id" variable of the current "JitterBug" tracker, and is not properly sanitized before being used to his page. The JitterBug tracker project seems to be suspended (https://www.samba.org/cgi-bin/jitterbug/), this vulnerability isn't specific to your bug tracker. I just open a ticket to report this vulnerability to the samba-jitterbug maintainers (https://bugzilla.samba.org/show_bug.cgi?id=10967). Proof of Concept, tested with Firefox 33.1.1 (screenshot in attachment): http://www.openldap.org/its/index.cgi/Documentation?id=1337</TITLE><img src=x onerror="alert(/Reflected XSS - Yann CAM @ASAfety/)" /><TITLE>;selectid=1337 Screenshots available : http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_001.png http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_002.png Feel free to contact me for more information, Best regards, Yann CAM - Security Consultant @ASafety - Synetis - www.synetis.com
fixed
changed notes changed state Open to Test moved from Incoming to Web
yann.cam@gmail.com wrote: > Full_Name: Yann CAM > Version: > OS: > URL: http://www.openldap.org/its/ > Submission from: (NULL) (2a01:e34:edbf:a5d0:845:664b:ce80:cf7b) > > > I'm contacting you to inform you about the presence of a Reflected XSS > vulnerability on the www.openldap.org main domain. Thanks for the report, this is now fixed. > > Through this vulnerability, an attacker could tamper with page rendering, > redirect victims to fake OpenLdap pages, or capture users data. > > This reflected XSS is on GET "id" variable of the current "JitterBug" tracker, > and is not properly sanitized before being used to his page. > > The JitterBug tracker project seems to be suspended > (https://www.samba.org/cgi-bin/jitterbug/), this vulnerability isn't specific to > your bug tracker. I just open a ticket to report this vulnerability to the > samba-jitterbug maintainers (https://bugzilla.samba.org/show_bug.cgi?id=10967). > > Proof of Concept, tested with Firefox 33.1.1 (screenshot in attachment): > > http://www.openldap.org/its/index.cgi/Documentation?id=1337</TITLE><img > src=x onerror="alert(/Reflected XSS - Yann CAM @ASAfety/)" > /><TITLE>;selectid=1337 > > Screenshots available : > > http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_001.png > http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_002.png > > Feel free to contact me for more information, > > Best regards, > > Yann CAM - Security Consultant @ASafety - Synetis - www.synetis.com > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed state Test to Closed