severity 415379 grave tags 415379 + security stop
Hi Debian security, a user reported that LAM does not escape HTML special chars if such data is read from LDAP and displayed in the browser. E.g. the LDAP attribute which stores an account description could include "<", ">" and such chars. Possible attack targets: Admin users who manage user and group accounts with LAM. LAM only allows a predefined list of admin users to use this application. Therefore only these persons can be attacked. Needed priviledges to start attack: An attacker needs write access to the LDAP directory. This requires an valid LDAP account and LDAP ACLs which allow this account to write data. By default only admin users have write access. But ordinary users may also get access to change their mail address etc. Affected releases: Debian stable: ldap-account-manager 0.4.9-2 Debian Etch/testing: ldap-account-manager 1.1.1-1 Debian Unstable: ldap-account-manager 1.2.0-1 I will build patches right now. -- Best regards Roland Gruber LDAP Account Manager http://lam.sourceforge.net Want more? Get LDAP Account Manager Pro! http://lam.sourceforge.net/lamPro/index.htm
signature.asc
Description: OpenPGP digital signature
