XSS from CVE-2020-35132 (#130) still unfixed

[epozuelo]

I was able to reproduce the issue reported in #130 with 1.2.6.2, the version that supposedly fixed that bug. Thus I believe the fix was incomplete and phpLDAPadmin is still vulnerable to that XSS.

The steps to reproduce are the same as outlined in #130 (comment)

[apoleon]

I believe this line in lib/PageRender.php needs to be fixed as well. The old value must be escaped with htmlspecialchars too. After that I cannot reproduce the XSS exploit anymore.

phpLDAPadmin/lib/PageRender.php

Line 559 in a4924f7

echo $attribute->getOldValue($i);

[carnil]

@leenooks any news on this issue?

[carnil]

@leenooks any update on the status for this issue?

[williamdes]

@leenooks any update on the status for this issue?

I reproduced this XSS on the Update page, with the previous value already containing the XSS payload.
See steps: #130 (comment)

[williamdes]

#137 (comment)

Fix:

diff --git a/lib/PageRender.php b/lib/PageRender.php
index d905c96..b0682bf 100644
--- a/lib/PageRender.php
+++ b/lib/PageRender.php
@@ -556,7 +556,7 @@ class PageRender extends Visitor {
        final protected function drawOldValueAttribute($attribute,$i) {
                if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
-               echo $attribute->getOldValue($i);
+               echo htmlspecialchars($attribute->getOldValue($i));
        }
 
        /** DRAW DISPLAYED CURRENT VALUES **/

[williamdes]

PR done in: #201

[williamdes]

Released as 1.2.6.6 🎉