John Bloom
2011-Oct-26 19:24 UTC
[Secure-testing-team] Bug#646754: Exploit in phpldapadmin lets attacker execute arbitrary code
Package: phpldapadmin Version: 1.2.0.5-2 Severity: critical Tags: security upstream Justification: root security hole All versions of phpldapadmin <= 1.2.1.1 (all released versions as of today) are vulnerable to a remote code execution bug. Arbitrary code can be executed as the user running the web server that phpldapadmin is running under (usually www-data). Details can be found here: - exploit DB: http://www.exploit-db.com/exploits/18021/ - phpldapadmin bug tracker: http://sourceforge.net/tracker/index.php?func=detail&aid=3417184&group_id=61828&atid=498546 - example of exploit in the wild: http://dev.metasploit.com/redmine/issues/5820 Justification for critical status: I''m not sure if www-data would be considered a "privileged" account, but I believe this exploit could be used to stage a man-in-the-middle attack against anyone logging into phpldapadmin as the LDAP administrator user. -- System Information: Debian Release: 6.0.2 APT prefers stable APT policy: (500, ''stable'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages phpldapadmin depends on: ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii lighttpd [httpd] 1.4.28-2 A fast webserver with minimal memo ii php5 5.3.3-7+squeeze3 server-side, HTML-embedded scripti ii php5-cgi 5.3.3-7+squeeze3 server-side, HTML-embedded scripti ii php5-ldap 5.3.3-7+squeeze3 LDAP module for php5 ii ucf 3.0025+nmu1 Update Configuration File: preserv phpldapadmin recommends no packages. phpldapadmin suggests no packages. -- debconf information excluded