Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 104293

Summary: net-nds/phpldapadmin multiple issues
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: bruno.cardoso, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-30 12:34:38 UTC
Multiple issues ranging from XSS to remote script execution.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-30 20:13:31 UTC
Well, the advisory says "0.9.6 - 0.9.7/alpha5 (possibly prior versions)" are
vulnerable, so i'm not sure wether alpha5 is vulnerable or not - i can't access
the upstream bugs page and the changelog in the alpha5 tarball does not mention
0.9.7 yet. So if alpha5 is fixed, please provide an fixed ebuild and please also
check if 0.9.5 is vulnerable, because it's marked stable on x86. Thanks, I know
you guys are quite stressed lately with security stuff.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-08-31 02:37:00 UTC

Debian Security Advisory DSA 790-1                                        Martin Schulze
August 30th, 2005             

Package        : phpldapadmin
Vulnerability  : programming error
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2654
Debian Bug     : 322423

Alexander Gerasiov discovered that phpldapadmin, a web based interface
for administering LDAP servers, allows anybody to access the LDAP
server anonymously, even if this is disabled in the configuration with
the "disable_anon_bind" statement.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-31 08:22:14 UTC
Rating back to B1,
says there is also remote script code execution and file disclosure.
Comment 4 Renat Lumpau (RETIRED) gentoo-dev 2005-08-31 09:30:56 UTC

> "Successful exploitation requires that "register_globals" is enabled."

> Both fixes are included in 0.9.7-alpha6 submitted to sf just now...

phpldapadmin-0.9.7_alpha6 in portage. I can't reproduce it on 0.9.5, but that
doesn't mean it's not there.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-31 10:13:58 UTC
Ready for GLSA. It's B1 so we are forced to write one, altough i hate doing so
because register_globals is just dumb etc ...
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-09-06 06:49:02 UTC
GLSA 200509-04
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-11-17 02:06:49 UTC
*** Bug 112766 has been marked as a duplicate of this bug. ***