Bug 748537 (CVE-2011-4074, CVE-2011-4075) - CVE-2011-4074 CVE-2011-4075 phpldapadmin: XSS and code injection vulnerabilities in <= 1.2.1.1
Summary: CVE-2011-4074 CVE-2011-4075 phpldapadmin: XSS and code injection vulnerabilit...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-4074, CVE-2011-4075
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 748538 748539
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-24 18:14 UTC by Vincent Danen
Modified: 2019-09-29 12:48 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-24 16:03:48 UTC


Attachments (Terms of Use)

Description Vincent Danen 2011-10-24 18:14:40 UTC
Two flaws were reported [1],[2],[3] in phpLDAPAdmin 1.2.1.1 and probably earlier versions.

1) Input appended to the URL in cmd.php (when "cmd" is set to "_debug") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "orderby" parameter in cmd.php (when "cmd" is set to "query_engine", "query" is set to "none", and "search" is set to e.g. "1") is not properly sanitised in lib/functions.php before being used in a "create_function()" function call. This can be exploited to inject and execute arbitrary PHP code.

Both issues are fixed in git: issue #1 [4] and issue #2 [5].

[1] http://sourceforge.net/tracker/index.php?func=detail&aid=3417184&group_id=61828&atid=498546
[2] http://www.exploit-db.com/exploits/18021/
[3] https://secunia.com/advisories/46551/
[4] http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=blobdiff;f=htdocs/cmd.php;h=0ddf0044355abc94160be73122eb34f3e48ab2d9;hp=34f3848fe4a6d4c00c7c568afa81f59579f5d724;hb=64668e882b8866fae0fa1b25375d1a2f3b4672e2;hpb=caeba72171ade4f588fef1818aa4f6243a68b85e
[5] http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=blobdiff;f=lib/functions.php;h=eb160dc9f7d74e563131e21d4c85d7849a0c6638;hp=19fde9974d4e5eb3bfac04bb223ccbefdb98f9a0;hb=76e6dad13ef77c5448b8dfed1a61e4acc7241165;hpb=5d4245f93ae6f065e7535f268e3cd87a23b07744


I am unsure whether these flaws only affect 1.2.x or if they also affect older 1.x and 0.x.

Comment 1 Vincent Danen 2011-10-24 18:16:54 UTC
Created phpldapadmin tracking bugs for this issue

Affects: fedora-all [bug 748538]
Affects: epel-6 [bug 748539]

Comment 2 Vincent Danen 2011-10-25 15:29:06 UTC
Issue #1 was assigned the name CVE-2011-4074 and issue #2 was assigned the name CVE-2011-4075.

Comment 3 Dmitry Butskoy 2011-10-26 15:12:49 UTC
CVE-2011-4075 (issue #2) seems to affect 1.0.x and 0.9.8.x as well. I've patched 1.0.2 (el5) and 0.9.8.5 (el4) for this.

Updates for f14/f15/f16 and el4/el5/el6 should appear in updates-testing soon.

Comment 4 Jan Lieskovsky 2011-10-27 11:56:03 UTC
Yes another security flaw in phpLDAPadmin -- local file inclusion in "common.php" file via the "Accept-Language" HTTP header:

[6] http://www.securityfocus.com/bid/50328/exploit

Relevant exploit:
[7] http://downloads.securityfocus.com/vulnerabilities/exploits/50328.java

The patch applied by phpLDAPadmin v0.9.8.5 version would fix this issue too.

Comment 5 Jan Lieskovsky 2011-10-27 12:10:31 UTC
CVE request for the third issue:
[8] http://www.openwall.com/lists/oss-security/2011/10/27/3

Comment 6 Dmitry Butskoy 2011-10-27 12:35:24 UTC
for comment #4 :

The "common.php" issue was fixed even in 0.9.8.3, and such a version was in Fedora/EPEL since 2006. It is not actual for us at least last 5 years.

0.9.8.5 is not a "fix" for this particular issue, I just have updated to the latest subversion in that branch, additionally to the patch to fix CVE-2011-4075 .

Comment 7 Kurt Seifried 2011-10-27 15:18:12 UTC
Confirmed vulnerable in 0.9.7, and fixed in 0.9.8 (common.php was moved into /lib/ and majorly refactored, no more include()'s).

Comment 8 Vincent Danen 2011-10-27 21:13:07 UTC
Since this third issue only affects EPEL4, I filed a new bug for it: bug #749677.

Comment 9 Fedora Update System 2011-11-25 01:52:48 UTC
phpldapadmin-1.2.1.1-2.20111006git.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2011-11-25 01:56:13 UTC
phpldapadmin-1.2.1.1-2.20111006git.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.