From yann.cam@gmail.com Wed Nov 26 20:16:39 2014
From: yann.cam@gmail.com
To: openldap-bugs@openldap.org
Subject: (ITS#7988) Reflected XSS vulnerability in www.openldap.org
Date: Wed, 26 Nov 2014 20:16:38 +0000
Message-ID: <E1Xtj0w-0003cA-Qn@gauss.openldap.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8885587569171962577=="

--===============8885587569171962577==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Full_Name: Yann CAM
Version:=20
OS:=20
URL: http://www.openldap.org/its/
Submission from: (NULL) (2a01:e34:edbf:a5d0:845:664b:ce80:cf7b)


I'm contacting you to inform you about the presence of a Reflected XSS
vulnerability on the www.openldap.org main domain.

Through this vulnerability, an attacker could tamper with page rendering,
redirect victims to fake OpenLdap pages, or capture users data.

This reflected XSS is on GET "id" variable of the current "JitterBug" tracker,
and is not properly sanitized before being used to his page.

The JitterBug tracker project seems to be suspended
(https://www.samba.org/cgi-bin/jitterbug/), this vulnerability isn't specific=
 to
your bug tracker. I just open a ticket to report this vulnerability to the
samba-jitterbug maintainers (https://bugzilla.samba.org/show_bug.cgi?id=3D109=
67).

Proof of Concept, tested with Firefox 33.1.1 (screenshot in attachment):

    http://www.openldap.org/its/index.cgi/Documentation?id=3D1337</TITLE><img
src=3Dx onerror=3D"alert(/Reflected XSS - Yann CAM @ASAfety/)"
/><TITLE>;selectid=3D1337

Screenshots available :

http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_001.png
http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_002.png

Feel free to contact me for more information,

Best regards,

Yann CAM - Security Consultant @ASafety - Synetis - www.synetis.com


--===============8885587569171962577==--