ldap-account-manager -- multiple vulnerabilities

ID DSA-1287
Type debian
Reporter Debian
Modified 2007-05-07T00:00:00


Two vulnerabilities have been identified in the version of ldap-account-manager shipped with Debian 3.1 (sarge).

An untrusted PATH vulnerability could allow a local attacker to execute arbitrary code with elevated privileges by providing a malicious rm executable and specifying a PATH environment variable referencing this executable.

Improper escaping of HTML content could allow an attacker to execute a cross-site scripting attack (XSS) and execute arbitrary code in the victim's browser in the security context of the affected web site.

For the old stable distribution (sarge), this problem has been fixed in version 0.4.9-2sarge1. Newer versions of Debian (etch, lenny, and sid), are not affected.

We recommend that you upgrade your ldap-account-manager package.