[Secure-testing-team] Bug#646754: Exploit in phpldapadmin lets attacker execute arbitrary code
John Bloom
john at sheeplauncher.net
Wed Oct 26 19:24:26 UTC 2011
Package: phpldapadmin
Version: 1.2.0.5-2
Severity: critical
Tags: security upstream
Justification: root security hole
All versions of phpldapadmin <= 1.2.1.1 (all released versions as of
today) are vulnerable to a remote code execution bug. Arbitrary code can be
executed as the user running the web server that phpldapadmin is running
under (usually www-data). Details can be found here:
- exploit DB: http://www.exploit-db.com/exploits/18021/
- phpldapadmin bug tracker:
http://sourceforge.net/tracker/index.php?func=detail&aid=3417184&group_id=61828&atid=498546
- example of exploit in the wild: http://dev.metasploit.com/redmine/issues/5820
Justification for critical status: I'm not sure if www-data would be
considered a "privileged" account, but I believe this exploit could be
used to stage a man-in-the-middle attack against anyone logging into
phpldapadmin as the LDAP administrator user.
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages phpldapadmin depends on:
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii lighttpd [httpd] 1.4.28-2 A fast webserver with minimal memo
ii php5 5.3.3-7+squeeze3 server-side, HTML-embedded scripti
ii php5-cgi 5.3.3-7+squeeze3 server-side, HTML-embedded scripti
ii php5-ldap 5.3.3-7+squeeze3 LDAP module for php5
ii ucf 3.0025+nmu1 Update Configuration File: preserv
phpldapadmin recommends no packages.
phpldapadmin suggests no packages.
-- debconf information excluded
More information about the Secure-testing-team
mailing list