A debian bug report [1] noted a phpldapadmin local file inclusion vulnerability. Upstream has not addressed this yet from what I can see, and a public exploit/advisory is availble [2] as well as a Secunia advisory [3]. This would affect Fedora 11, 12, and rawhide as well as EPEL4 and EPEL5. No CVE name has been assigned yet. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561975 [2] http://www.exploit-db.com/exploits/10410 [3] http://secunia.com/advisories/37848/
Reported upstream, https://sourceforge.net/tracker/?func=detail&aid=2919337&group_id=61828&atid=498546
F11 is affected only. Solution is upgrade to 1.2 F12 and rawhide already have phpldapadmin-1.2.0.4, which is not affected. EPEL4 and EPEL5 have versions before 1.1, which are not affected yet.
phpldapadmin-1.2.0.4-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/phpldapadmin-1.2.0.4-1.fc11
phpldapadmin-1.2.0.4-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
According to http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page... > This vulnerability is confirmed in 1.1.0.7 and probably exists in previous releases ...so are we sure this doesn't need fixing in EPEL?
As I've already mentioned in comment #3 , EPEL4 and EPEL5 have versions before 1.1, which are not affected yet. IOW, phpldapadmin 1.0.1 is not affected, as have no such a feature and an appropriate peace of code (which was added since the version 1.1 only)