Bug 749677 (CVE-2011-4082) - CVE-2011-4082 phpldapadmin: local file inclusion flaw fixed in 0.9.8
Summary: CVE-2011-4082 phpldapadmin: local file inclusion flaw fixed in 0.9.8
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2011-4082
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 749678
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-27 21:12 UTC by Vincent Danen
Modified: 2019-09-29 12:48 UTC (History)
2 users (show)

Fixed In Version: phpldapadmin 0.9.8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-31 15:43:20 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2011-10-27 21:12:50 UTC
A local file inclusion flaw was found in the way the phpLDAPadmin, a web based LDAP client for managing LDAP servers, processed certain values of the "Accept-Language" HTTP header. A remote attacker could use this flaw to cause a denial of service (generate recursive inclusions leading to resource exhaustion) via specially-crafted request.

Note: A different issue than CVE-2011-4075 (due the different attack vector and different source code file in question).

References:

http://www.securityfocus.com/bid/50328/info
http://www.securityfocus.com/data/vulnerabilities/exploits/50328.java

This was corrected in phpLDAPAdmin 0.9.8.5 and was assigned the name CVE-2011-4082.

Comment 1 Vincent Danen 2011-10-27 21:13:40 UTC
Created phpldapadmin tracking bugs for this issue

Affects: epel-4 [bug 749678]

Comment 2 Vincent Danen 2011-10-31 15:43:20 UTC
This was actually fixed in 0.9.8 (only versions <= 0.9.7 are vulnerable).  EPEL4 currently has 0.9.8.3, and the contents of common.php in 0.9.8.3 and 0.9.8.5 are identical, so EPEL4 is not vulnerable to this.


Note You need to log in before you can comment on or make changes to this bug.