Debian Bug report logs -
#646754
Exploit in phpldapadmin lets attacker execute arbitrary code
Reported by: John Bloom <john@sheeplauncher.net>
Date: Wed, 26 Oct 2011 19:33:05 UTC
Severity: critical
Tags: patch, security, upstream
Found in versions phpldapadmin/1.1.0.5-6+lenny1, phpldapadmin/1.2.0.5-2
Fixed in versions phpldapadmin/1.2.0.5-2.1, phpldapadmin/1.2.0.5-2+squeeze1, phpldapadmin/1.1.0.5-6+lenny2
Done: Jonathan Wiltshire <jmw@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#646754; Package phpldapadmin.
(Wed, 26 Oct 2011 19:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to John Bloom <john@sheeplauncher.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Fabio Tranchitella <kobold@debian.org>.
(Wed, 26 Oct 2011 19:33:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpldapadmin
Version: 1.2.0.5-2
Severity: critical
Tags: security upstream
Justification: root security hole
All versions of phpldapadmin <= 1.2.1.1 (all released versions as of
today) are vulnerable to a remote code execution bug. Arbitrary code can be
executed as the user running the web server that phpldapadmin is running
under (usually www-data). Details can be found here:
- exploit DB: http://www.exploit-db.com/exploits/18021/
- phpldapadmin bug tracker:
http://sourceforge.net/tracker/index.php?func=detail&aid=3417184&group_id=61828&atid=498546
- example of exploit in the wild: http://dev.metasploit.com/redmine/issues/5820
Justification for critical status: I'm not sure if www-data would be
considered a "privileged" account, but I believe this exploit could be
used to stage a man-in-the-middle attack against anyone logging into
phpldapadmin as the LDAP administrator user.
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages phpldapadmin depends on:
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii lighttpd [httpd] 1.4.28-2 A fast webserver with minimal memo
ii php5 5.3.3-7+squeeze3 server-side, HTML-embedded scripti
ii php5-cgi 5.3.3-7+squeeze3 server-side, HTML-embedded scripti
ii php5-ldap 5.3.3-7+squeeze3 LDAP module for php5
ii ucf 3.0025+nmu1 Update Configuration File: preserv
phpldapadmin recommends no packages.
phpldapadmin suggests no packages.
-- debconf information excluded
Information forwarded
to debian-bugs-dist@lists.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#646754; Package phpldapadmin.
(Wed, 26 Oct 2011 23:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Fabio Tranchitella <kobold@debian.org>.
(Wed, 26 Oct 2011 23:57:03 GMT) (full text, mbox, link).
Message #10 received at 646754@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, Oct 26, 2011 at 12:24:26PM -0700, John Bloom wrote:
> All versions of phpldapadmin <= 1.2.1.1 (all released versions as of
> today) are vulnerable to a remote code execution bug. Arbitrary code can be
> executed as the user running the web server that phpldapadmin is running
> under (usually www-data). Details can be found here:
This is CVE-2011-4075
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]
Bug Marked as found in versions phpldapadmin/1.1.0.5-6+lenny1.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Thu, 27 Oct 2011 09:45:25 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#646754; Package phpldapadmin.
(Thu, 27 Oct 2011 20:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Fabio Tranchitella <kobold@debian.org>.
(Thu, 27 Oct 2011 20:03:03 GMT) (full text, mbox, link).
Message #17 received at 646754@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 646754 + patch
tags 646754 + pending
tags 646769 + patch
tags 646769 + pending
thanks
Dear maintainer,
I've prepared an NMU for phpldapadmin (versioned as 1.2.0.5-2.1) and
uploaded it to DELAYED/1. Please feel free to tell me if I
should delay it longer.
Regards.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
[phpldapadmin-1.2.0.5-2.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Thu, 27 Oct 2011 20:03:06 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Thu, 27 Oct 2011 20:03:07 GMT) (full text, mbox, link).
Reply sent
to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility.
(Fri, 28 Oct 2011 21:12:13 GMT) (full text, mbox, link).
Notification sent
to John Bloom <john@sheeplauncher.net>:
Bug acknowledged by developer.
(Fri, 28 Oct 2011 21:12:25 GMT) (full text, mbox, link).
Message #26 received at 646754-close@bugs.debian.org (full text, mbox, reply):
Source: phpldapadmin
Source-Version: 1.2.0.5-2.1
We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:
phpldapadmin_1.2.0.5-2.1.diff.gz
to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2.1.diff.gz
phpldapadmin_1.2.0.5-2.1.dsc
to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2.1.dsc
phpldapadmin_1.2.0.5-2.1_all.deb
to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 646754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated phpldapadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 27 Oct 2011 17:51:24 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.2.0.5-2.1
Distribution: unstable
Urgency: high
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description:
phpldapadmin - web based interface for administering LDAP servers
Closes: 646754 646769
Changes:
phpldapadmin (1.2.0.5-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* CVE-2011-4074 Fix XSS vulnerability in debug code (Closes: #646769)
* CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
(Closes: #646754)
Checksums-Sha1:
f6d86b56229db00e7c48fd3621ebd3e4d4fb932d 1723 phpldapadmin_1.2.0.5-2.1.dsc
49c219b7126dd9357c226bf35ffac7020727d84c 25005 phpldapadmin_1.2.0.5-2.1.diff.gz
b263c5ed27354e920b2e4e84f5adc18f360358d8 1266724 phpldapadmin_1.2.0.5-2.1_all.deb
Checksums-Sha256:
de160987eb6ae9fb927075446ce7a08f0f39c6d7385f61f8ba1567c61ea6ea34 1723 phpldapadmin_1.2.0.5-2.1.dsc
a1c6dbc7842df92ddc54fc30ce13c3042e7dbcb8bdab1f7bb61de87a0ac91a15 25005 phpldapadmin_1.2.0.5-2.1.diff.gz
18f70e2a3847ef1729043a71e1aed338d7788ba96212f1d2285ef39145c1d61f 1266724 phpldapadmin_1.2.0.5-2.1_all.deb
Files:
42f745fe3da0af28a60f3a165c2627ce 1723 admin extra phpldapadmin_1.2.0.5-2.1.dsc
c8df93849f4cd3923f5c5596c9ac76e5 25005 admin extra phpldapadmin_1.2.0.5-2.1.diff.gz
d88f1c1ca798855c9ab42ecfced4a6ae 1266724 admin extra phpldapadmin_1.2.0.5-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJOqbcxAAoJEFOUR53TUkxR9tEP/A6OBh7FLA1FQ9XjKwe3i17N
Y9+CipzUWZV1CExTyDlLDhnhQedYub4bvP6TXPV/dnQyDVQfB7D6CLeW6s5m3BnS
M/x6LtWMRJJ56ODlYvmm5Ydj9D8sTkwrGV/+KhBBa8fqXNn3cansAgIzLfAo/W18
BGhdkwtTO1Da6j1Y/O4DIkLaOz6WMuPd6y8UYTehgCrvmpa6spKxJ1irEpLR48dl
lvnqp5SJt5o+/1/vNqYNvjOvUdnAYKP8sFp/aWF8Lx7qutQ2j6/wsWO0RyptkQJw
1qTREIFLqSOue5uEf87kiG7KvyV/JW+HtJUbKS9E7gD63C2nr3JkTjGrj82ecaUO
t9UnM75Bnbve1JLr8evxSeRoGzOzcIYwoa/Qv26gl79VdYK55rhkGEs7u2VkfDhY
fp6NKI703CmE2Ak3VgV8Vb1XxiWXMdyUoa3Bbxn+pfuoq6O0wWe8e7SjN0HK+IFq
zXYPM9CHvCigrtWaTCCGsNzfzrPwlsikBWvOjMnl1qlimixqn/+85QUXq+nJIFPQ
7+CSGaJtvo1Ws4/NwyH5FGwBNqkifHREhrL0DSraJ6RP+QXxv8GiczlERzdm8b+m
yrIYC7VpQgdon1Ucg474lZ8nHjQIRB+eMxV5yRyf4f2rGk3hvsSLTvXFF30mTXFn
h+/+MMPFoVrJo6kmwaO/
=zoVM
-----END PGP SIGNATURE-----
Reply sent
to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility.
(Sun, 30 Oct 2011 20:00:03 GMT) (full text, mbox, link).
Notification sent
to John Bloom <john@sheeplauncher.net>:
Bug acknowledged by developer.
(Sun, 30 Oct 2011 20:00:03 GMT) (full text, mbox, link).
Message #31 received at 646754-close@bugs.debian.org (full text, mbox, reply):
Source: phpldapadmin
Source-Version: 1.2.0.5-2+squeeze1
We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:
phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
phpldapadmin_1.2.0.5-2+squeeze1.dsc
to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2+squeeze1.dsc
phpldapadmin_1.2.0.5-2+squeeze1_all.deb
to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2+squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 646754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated phpldapadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 27 Oct 2011 17:51:24 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.2.0.5-2+squeeze1
Distribution: squeeze-security
Urgency: high
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description:
phpldapadmin - web based interface for administering LDAP servers
Closes: 646754 646769
Changes:
phpldapadmin (1.2.0.5-2+squeeze1) squeeze-security; urgency=high
.
* Non-maintainer upload by the security team.
* CVE-2011-4074 Fix XSS vulnerability in debug code (Closes: #646769)
* CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
(Closes: #646754)
Checksums-Sha1:
32500f560da479e07774a772473ee0dc60f5d476 1706 phpldapadmin_1.2.0.5-2+squeeze1.dsc
0720ec05bfe91520bdd15e38c79f949f18d355eb 1345901 phpldapadmin_1.2.0.5.orig.tar.gz
06a06a7b9549cf9b17b4369cd3d393e408ceda7f 25416 phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
c191e208bae5304eb6a5e39037fcea5232e5ff55 1266770 phpldapadmin_1.2.0.5-2+squeeze1_all.deb
Checksums-Sha256:
2ff274359b1cf7281be7576f941bc32b9415ebd2436b979c7f5eb1760082055c 1706 phpldapadmin_1.2.0.5-2+squeeze1.dsc
ee75da1dbba023499fdf50d6cedea9bcdb9caad017b15ed2e31700bcc61dfcfd 1345901 phpldapadmin_1.2.0.5.orig.tar.gz
cdca51e68f7c6e7ea76cb75ee542bcfa8706397057f6f07641fc205cd3a3a054 25416 phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
5da574473bca34b15d05e9a6af966278b7a59bc1a90fa43b3388d7bac613e3c6 1266770 phpldapadmin_1.2.0.5-2+squeeze1_all.deb
Files:
1813659cd851ac1787ab02a9d2272524 1706 admin extra phpldapadmin_1.2.0.5-2+squeeze1.dsc
d75f043686da4c1e333ca160b0d26c01 1345901 admin extra phpldapadmin_1.2.0.5.orig.tar.gz
1e1ec2d06146fda81f3c7a7dfb934b32 25416 admin extra phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
c06fd719544825c62e1f2ca1b58efc89 1266770 admin extra phpldapadmin_1.2.0.5-2+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJOqbbIAAoJEFOUR53TUkxREh0QAI6rwGVF1cbMaKA5/FNo2bPS
FKo+z7WU3RbMcVeB0zH8Q5i746DtMbBGfNZozs3Wv10amFcF2FUHvbfs6O067320
Cn/EoyeTmkaldjhWbCfrHqtqYmZUwvbKtP176ZvwrjSkiCD9TO+T0ons9HddvMdT
phHk5eGa1kigdfmzH9syz1PrLEC4DC7vanWhUepTXmql1TSdU2dS/gVgIcmZTPBm
lme3ZZkWjX6gi8W7ykqYeMaRhk8m4PNxWguHz+fb78Ipspmw9tEkSGSvbpN70O2z
xDfrzVSchP9xniRlfazjCL15kbyHRDIQvigRJUQwoapi7YZYA/OQJNYZ1MgSnP88
oxz9abqz/2pZtOr4jT4lbJ7Qi/k9u1whetOYYWHaNcepSdE8r3fN1CyCbXWFNnvb
bV7F/utuTH4TgtVBVQf0SrOaz0peHpmnV1hWHtWdvaTjG7qokFa27f7oc/Ya2Iwh
h6nAIL57Rw101s6DOsPCZ7WkUMRj4Fq2r/wyZFhKNshgjn/V5Cy3ueSWEPDxXxe7
R7LHWXIVx5ZX6LZ5zm0uR4Umw+7dmuDhbDcIjoZm8XdU3vLJoEld7YoErn3fTESo
BPIweSpY3B1dkdYgbn8ESmzoMDdrudyVR8Xs1vBFygNpXcSoJQ5y454RZ4Xj3FCn
cmQtV2GQS7UppUxJquND
=ZPtU
-----END PGP SIGNATURE-----
Reply sent
to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility.
(Wed, 28 Dec 2011 02:00:04 GMT) (full text, mbox, link).
Notification sent
to John Bloom <john@sheeplauncher.net>:
Bug acknowledged by developer.
(Wed, 28 Dec 2011 02:00:04 GMT) (full text, mbox, link).
Message #36 received at 646754-close@bugs.debian.org (full text, mbox, reply):
Source: phpldapadmin
Source-Version: 1.1.0.5-6+lenny2
We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:
phpldapadmin_1.1.0.5-6+lenny2.diff.gz
to main/p/phpldapadmin/phpldapadmin_1.1.0.5-6+lenny2.diff.gz
phpldapadmin_1.1.0.5-6+lenny2.dsc
to main/p/phpldapadmin/phpldapadmin_1.1.0.5-6+lenny2.dsc
phpldapadmin_1.1.0.5-6+lenny2_all.deb
to main/p/phpldapadmin/phpldapadmin_1.1.0.5-6+lenny2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 646754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated phpldapadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 27 Oct 2011 12:54:16 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.1.0.5-6+lenny2
Distribution: oldstable-security
Urgency: high
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description:
phpldapadmin - web based interface for administering LDAP servers
Closes: 646754 646769
Changes:
phpldapadmin (1.1.0.5-6+lenny2) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team
* CVE-2011-4074 Fix XSS vulnerability in debug code (Closes: #646769)
* CVE-2011-4075 Fix remote code execution by anonymous users (Closes: #646754)
Checksums-Sha1:
a64e574f764305eddcd50dc92d2399d5bac569f6 1360 phpldapadmin_1.1.0.5-6+lenny2.dsc
93a7cb2466d554b431fde7278f78f2c87c5edb81 1031912 phpldapadmin_1.1.0.5.orig.tar.gz
7e45e6e3866bd4bb511ab80202ef3597b752f3c9 22802 phpldapadmin_1.1.0.5-6+lenny2.diff.gz
0983ac16d4ddcde07dfbf1fc31e042e7fdf2d8f5 933340 phpldapadmin_1.1.0.5-6+lenny2_all.deb
Checksums-Sha256:
cc92d62a6186ce70bf8f40276abbc8d0211cb7b208e64b30bb64674ac34de32b 1360 phpldapadmin_1.1.0.5-6+lenny2.dsc
1247c3d0fb671d6c8cc27319b659ba7c9402abb70c904e0ece83c8b7dcc26e1b 1031912 phpldapadmin_1.1.0.5.orig.tar.gz
70c5be9858ff34bfa5638eb6e5ba2a64bd32c96a17336a7ad9569318a240b666 22802 phpldapadmin_1.1.0.5-6+lenny2.diff.gz
63de2ec8d29bbe2d83c65fc17646426570c553b732664601fc0ddd513a0f0b65 933340 phpldapadmin_1.1.0.5-6+lenny2_all.deb
Files:
70629b037b3ce62e82e851eed74c62f6 1360 admin extra phpldapadmin_1.1.0.5-6+lenny2.dsc
5ea78a6758e347c77ef291882675f266 1031912 admin extra phpldapadmin_1.1.0.5.orig.tar.gz
76a36ece8a672e6f95ae28d306aa18fc 22802 admin extra phpldapadmin_1.1.0.5-6+lenny2.diff.gz
47fd40e5aa9893873237810a331ea3c5 933340 admin extra phpldapadmin_1.1.0.5-6+lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJO+h9ZAAoJEOxfUAG2iX57SCMH/2+YV0uG3tPK4zot2in24S2x
DhKS8kH03SrTiN4c5pq7vFKheVp5yp6uucGxWh0+jZFoCVtIyKN76K4v+QLXC0MK
xUOflZYlUG3kMlJykKroPxeo0zcLLIOjBPvRD5KVtRcccnRzRH5wWV5ll8odwBN+
50EAi4/8uVpQwvI9gp4X+sUefiajCs2IGxCt/p7iwRhTm6f9rOQ6lsCxVMtNxM/n
HvW4SPIUpn0Qu280RKOD9ZtG38fOxie3eDlnKChfdUWaXH/9gRwzP/AxnhF2sMzJ
Q7i5JQ9ufwP8QbY0TtkOS/XIZSc5V0y8chZpx+vxSkvm8ms/ipzfqnlt2A/d3Ns=
=wnC4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 29 Jan 2012 07:36:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:32:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon