Multiple issues ranging from XSS to remote script execution.
Well, the advisory says "0.9.6 - 0.9.7/alpha5 (possibly prior versions)" are vulnerable, so i'm not sure wether alpha5 is vulnerable or not - i can't access the upstream bugs page and the changelog in the alpha5 tarball does not mention 0.9.7 yet. So if alpha5 is fixed, please provide an fixed ebuild and please also check if 0.9.5 is vulnerable, because it's marked stable on x86. Thanks, I know you guys are quite stressed lately with security stuff.
FYI: -------------------------------------------------------------------------- Debian Security Advisory DSA 790-1 security@debian.org http://www.debian.org/security/ Martin Schulze August 30th, 2005 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : phpldapadmin Vulnerability : programming error Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-2654 Debian Bug : 322423 Alexander Gerasiov discovered that phpldapadmin, a web based interface for administering LDAP servers, allows anybody to access the LDAP server anonymously, even if this is disabled in the configuration with the "disable_anon_bind" statement.
Rating back to B1, http://www.securityfocus.com/archive/1/409624/30/0/threaded says there is also remote script code execution and file disclosure.
See http://sourceforge.net/mailarchive/forum.php?thread_id=8086622&forum_id=34809 > "Successful exploitation requires that "register_globals" is enabled." > Both fixes are included in 0.9.7-alpha6 submitted to sf just now... phpldapadmin-0.9.7_alpha6 in portage. I can't reproduce it on 0.9.5, but that doesn't mean it's not there.
Ready for GLSA. It's B1 so we are forced to write one, altough i hate doing so because register_globals is just dumb etc ...
GLSA 200509-04
*** Bug 112766 has been marked as a duplicate of this bug. ***