[Secure-testing-team] Bug#646754: Exploit in phpldapadmin lets attacker execute arbitrary code

John Bloom john at sheeplauncher.net
Wed Oct 26 19:24:26 UTC 2011


Package: phpldapadmin
Version: 1.2.0.5-2
Severity: critical
Tags: security upstream
Justification: root security hole

All versions of phpldapadmin <= 1.2.1.1 (all released versions as of
today) are vulnerable to a remote code execution bug. Arbitrary code can be
executed as the user running the web server that phpldapadmin is running
under (usually www-data). Details can be found here:
- exploit DB: http://www.exploit-db.com/exploits/18021/
- phpldapadmin bug tracker:
  http://sourceforge.net/tracker/index.php?func=detail&aid=3417184&group_id=61828&atid=498546
- example of exploit in the wild: http://dev.metasploit.com/redmine/issues/5820

Justification for critical status: I'm not sure if www-data would be
considered a "privileged" account, but I believe this exploit could be
used to stage a man-in-the-middle attack against anyone logging into
phpldapadmin as the LDAP administrator user.


-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages phpldapadmin depends on:
ii  debconf [debconf-2.0]   1.5.36.1         Debian configuration management sy
ii  lighttpd [httpd]        1.4.28-2         A fast webserver with minimal memo
ii  php5                    5.3.3-7+squeeze3 server-side, HTML-embedded scripti
ii  php5-cgi                5.3.3-7+squeeze3 server-side, HTML-embedded scripti
ii  php5-ldap               5.3.3-7+squeeze3 LDAP module for php5
ii  ucf                     3.0025+nmu1      Update Configuration File: preserv

phpldapadmin recommends no packages.

phpldapadmin suggests no packages.

-- debconf information excluded





More information about the Secure-testing-team mailing list