FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpldapadmin -- Cross-Site Scripting and Script Insertion vulnerabilities

Affected packages
phpldapadmin098 < 0.9.8.3

Details

VuXML ID 6d78202e-e2f9-11da-8674-00123ffe8333
Discovery 2006-04-21
Entry 2006-05-14

Secunia reports:

phpLDAPadmin have some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.

1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "Container DN", "Machine Name", and "UID Number" parameters in "template_engine.php" isn't properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.

References

CVE Name CVE-2006-2016
URL http://pridels.blogspot.com/2006/04/phpldapadmin-multiple-vuln.html
URL http://secunia.com/advisories/19747/
URL http://www.frsirt.com/english/advisories/2006/1450