XSS from CVE-2020-35132 (#130) still unfixed

[epozuelo]

I was able to reproduce the issue reported in #130 with 1.2.6.2, the version that supposedly fixed that bug. Thus I believe the fix was incomplete and phpLDAPadmin is still vulnerable to that XSS.

The steps to reproduce are the same as outlined in https://github.com/leenooks/phpLDAPadmin/issues/130#issue-754474648

[apoleon]

I believe this line in lib/PageRender.php needs to be fixed as well. The old value must be escaped with htmlspecialchars too. After that I cannot reproduce the XSS exploit anymore.

https://github.com/leenooks/phpLDAPadmin/blob/a4924f7453254366403f11108ebc16f03037b750/lib/PageRender.php#L559

[carnil]

@leenooks any news on this issue?

[carnil]

@leenooks any update on the status for this issue?

[williamdes]

@leenooks any update on the status for this issue?

I reproduced this XSS on the Update page, with the previous value already containing the XSS payload. See steps: https://github.com/leenooks/phpLDAPadmin/issues/130#issue-754474648

[williamdes]

https://github.com/leenooks/phpLDAPadmin/issues/137#issuecomment-950691115

Fix:

diff --git a/lib/PageRender.php b/lib/PageRender.php
index d905c96..b0682bf 100644
--- a/lib/PageRender.php
+++ b/lib/PageRender.php
@@ -556,7 +556,7 @@ class PageRender extends Visitor {
        final protected function drawOldValueAttribute($attribute,$i) {
                if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
-               echo $attribute->getOldValue($i);
+               echo htmlspecialchars($attribute->getOldValue($i));
        }
 
        /** DRAW DISPLAYED CURRENT VALUES **/

[williamdes]

PR done in: https://github.com/leenooks/phpLDAPadmin/pull/201

[williamdes]

Released as 1.2.6.6 🎉