Red Hat Directory Server Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	30870
Class:	Input Validation Error
CVE:	CVE-2008-2929
Remote:	Yes
Local:	No
Published:	Aug 27 2008 12:00AM
Updated:	Apr 13 2015 10:25PM
Credit:	Reported by Red Hat
Vulnerable:	Redhat Fedora Directory Server 1.0.1 Redhat Fedora Directory Server 1.0 Redhat Directory Server 8 EL 5 Redhat Directory Server 8 EL 4 Redhat Directory Server 7.1 SP6 Redhat Directory Server 7.1 SP5 Redhat Directory Server 7.1 SP4 Redhat Directory Server 7.1 SP3 Redhat Directory Server 7.1 SP2 Redhat Directory Server 7.1 SP1 Redhat Directory Server 7.1 HP HP-UX 11.23 HP HP-UX 11.11 HP HP-UX 11.31
Not Vulnerable:	Redhat Directory Server 7.1 SP7

Red Hat Directory Server Multiple Cross Site Scripting Vulnerabilities

Red Hat Directory Server is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Red Hat Directory Server Multiple Cross Site Scripting Vulnerabilities

To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.

Red Hat Directory Server Multiple Cross Site Scripting Vulnerabilities

Solution:
Red Hat has released updates and advisories. Please see the references for more information.

Red Hat Directory Server Multiple Cross Site Scripting Vulnerabilities

References:

• CVE-2008-2929 Directory Server: multiple XSS issues (Red Hat)
  
• Red Hat Directory Server Homepage (Red Hat)
  
• HPSBUX02354 SSRT080113 rev.1 - HP-UX Running Netscape / Red Hat Directory Server (HP)
  
• RHSA-2008:0596-18 Red Hat Directory Server 7.1 Service Pack 7 security update (Red Hat)
  
• RHSA-2008:0602-13 Moderate: redhat-ds-base and redhat-ds-admin security and bug (Red Hat)