Intrusion Prevention

SurgeLDAP.User.CGI.XSS

Description

This indicates an attempt to exploit one of several vulnerabilities in NetWin SurgeLDAP.
SurgeLDAP contains a Cross Site Scripting vulnerability, where if an attacker supplies hostile html and web scripts to a user it can be executed on the system.
If SurgeLDAP is supplied an overly long HTML request it can cause the server to crash leading to a Denial of Service.
SurgeLDAP stores passwords in a plaintext file. Any user with local access to the machine can therefore view the passwords for all users.

Affected Products

NetWin SurgeLDAP 1.0 d

Impact

Denial of Service.
System compromise: remote code execution.

Recommended Actions

Apply the appropriate patch from the vendor or upgrade to a non-vulnerable version.