LDAP Account Manager Unspecified HTML Injection Vulnerability

Bugtraq ID:	23190
Class:	Input Validation Error
CVE:	CVE-2007-1840
Remote:	Yes
Local:	No
Published:	Mar 28 2007 12:00AM
Updated:	May 16 2007 10:28PM
Credit:	An anonymous researcher is credited with the discovery of this vulnerability.
Vulnerable:	LAM LDAP Account Manager 1.2 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1
Not Vulnerable:	LAM LDAP Account Manager 1.3

LDAP Account Manager Unspecified HTML Injection Vulnerability

LDAP Account Manager is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

LDAP Account Manager versions prior to 1.3.0 are vulnerable to this issue.

LDAP Account Manager Unspecified HTML Injection Vulnerability

Attackers can use a browser to exploit this issue.

LDAP Account Manager Unspecified HTML Injection Vulnerability

Solution:
The vendor has released updates to address this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.


LAM LDAP Account Manager 1.2

• LAM LDAP Account Manager 1.3.0
  http://lam.sourceforge.net/download/index.htm

LDAP Account Manager Unspecified HTML Injection Vulnerability

References:

• [ 1687379 ] LAM does not escape HTML chars in LDAP data (LAM)
  
• LDAP Account Manager Homepage (Roland Gruber Softwareentwicklung)