Issue 7988 - Reflected XSS vulnerability in www.openldap.org
Summary: Reflected XSS vulnerability in www.openldap.org
Status: VERIFIED FIXED
Alias: None
Product: website
Classification: Unclassified
Component: website (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-26 20:16 UTC by yann.cam@gmail.com
Modified: 2015-11-30 18:23 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description yann.cam@gmail.com 2014-11-26 20:16:38 UTC 
Full_Name: Yann CAM
Version: 
OS: 
URL: http://www.openldap.org/its/
Submission from: (NULL) (2a01:e34:edbf:a5d0:845:664b:ce80:cf7b)


I'm contacting you to inform you about the presence of a Reflected XSS
vulnerability on the www.openldap.org main domain.

Through this vulnerability, an attacker could tamper with page rendering,
redirect victims to fake OpenLdap pages, or capture users data.

This reflected XSS is on GET "id" variable of the current "JitterBug" tracker,
and is not properly sanitized before being used to his page.

The JitterBug tracker project seems to be suspended
(https://www.samba.org/cgi-bin/jitterbug/), this vulnerability isn't specific to
your bug tracker. I just open a ticket to report this vulnerability to the
samba-jitterbug maintainers (https://bugzilla.samba.org/show_bug.cgi?id=10967).

Proof of Concept, tested with Firefox 33.1.1 (screenshot in attachment):

    http://www.openldap.org/its/index.cgi/Documentation?id=1337</TITLE><img
src=x onerror="alert(/Reflected XSS - Yann CAM @ASAfety/)"
/><TITLE>;selectid=1337

Screenshots available :

http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_001.png
http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_002.png

Feel free to contact me for more information,

Best regards,

Yann CAM - Security Consultant @ASafety - Synetis - www.synetis.com
Comment 1 OpenLDAP project 2014-11-26 21:28:51 UTC 
fixed
Comment 2 Howard Chu 2014-11-26 21:28:51 UTC 
changed notes
changed state Open to Test
moved from Incoming to Web
Comment 3 Howard Chu 2014-11-26 21:29:07 UTC 
yann.cam@gmail.com wrote:
> Full_Name: Yann CAM
> Version:
> OS:
> URL: http://www.openldap.org/its/
> Submission from: (NULL) (2a01:e34:edbf:a5d0:845:664b:ce80:cf7b)
>
>
> I'm contacting you to inform you about the presence of a Reflected XSS
> vulnerability on the www.openldap.org main domain.

Thanks for the report, this is now fixed.
>
> Through this vulnerability, an attacker could tamper with page rendering,
> redirect victims to fake OpenLdap pages, or capture users data.
>
> This reflected XSS is on GET "id" variable of the current "JitterBug" tracker,
> and is not properly sanitized before being used to his page.
>
> The JitterBug tracker project seems to be suspended
> (https://www.samba.org/cgi-bin/jitterbug/), this vulnerability isn't specific to
> your bug tracker. I just open a ticket to report this vulnerability to the
> samba-jitterbug maintainers (https://bugzilla.samba.org/show_bug.cgi?id=10967).
>
> Proof of Concept, tested with Firefox 33.1.1 (screenshot in attachment):
>
>      http://www.openldap.org/its/index.cgi/Documentation?id=1337</TITLE><img
> src=x onerror="alert(/Reflected XSS - Yann CAM @ASAfety/)"
> /><TITLE>;selectid=1337
>
> Screenshots available :
>
> http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_001.png
> http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_002.png
>
> Feel free to contact me for more information,
>
> Best regards,
>
> Yann CAM - Security Consultant @ASafety - Synetis - www.synetis.com
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
Comment 4 Quanah Gibson-Mount 2015-11-30 18:23:58 UTC 
changed state Test to Closed