Home page logo

bugtraq logo Bugtraq mailing list archives

[SECURITY] [DSA 2333-1] phpldapadmin security update
From: Jonathan Wiltshire <jmw () debian org>
Date: Sun, 30 Oct 2011 13:29:53 +0100

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-2333-1                    security () debian org
http://www.debian.org/security/                         Jonathan Wiltshire
Oct 31th, 2011                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : phpldapadmin
Vulnerability  : several
Problem type   : remote
Debian-specific: no
Debian bug     : 646754
CVE IDs        : CVE-2011-4075 CVE-2011-4074

Two vulnerabilities have been discovered in phpldapadmin, a web based
interface for administering LDAP servers. The Common Vulnerabilities and
Exposures project identifies the following problems:


  Input appended to the URL in cmd.php (when "cmd" is set to "_debug") is
  not properly sanitised before being returned to the user. This can be
  exploited to execute arbitrary HTML and script code in a user's browser
  session in context of an affected site.


  Input passed to the "orderby" parameter in cmd.php (when "cmd" is set to
  "query_engine", "query" is set to "none", and "search" is set to e.g.
  "1") is not properly sanitised in lib/functions.php before being used in a
  "create_function()" function call. This can be exploited to inject and
  execute arbitrary PHP code.

For the oldstable distribution (lenny), these problems have been fixed in

For the stable distribution (squeeze), these problems have been fixed in

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in

We recommend that you upgrade your phpldapadmin packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce () lists debian org
Version: GnuPG v1.4.11 (GNU/Linux)


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA 2333-1] phpldapadmin security update Jonathan Wiltshire (Oct 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]