Debian Bug report logs -
#902186
CVE-2018-12689
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 23 Jun 2018 08:48:02 UTC
Severity: important
Tags: moreinfo, security
Found in version phpldapadmin/1.2.2-1
Done: Antoine Beaupre <anarcat@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Fabio Tranchitella <kobold@debian.org>
:
Bug#902186
; Package phpldapadmin
.
(Sat, 23 Jun 2018 08:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Fabio Tranchitella <kobold@debian.org>
.
(Sat, 23 Jun 2018 08:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpldapadmin
Severity: grave
Tags: security
Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689
Cheers,
Moritz
Marked as found in versions phpldapadmin/1.2.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 23 Jun 2018 09:54:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Fabio Tranchitella <kobold@debian.org>
:
Bug#902186
; Package phpldapadmin
.
(Mon, 08 Oct 2018 18:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <natureshadow@debian.org>
:
Extra info received and forwarded to list. Copy sent to Fabio Tranchitella <kobold@debian.org>
.
(Mon, 08 Oct 2018 18:57:05 GMT) (full text, mbox, link).
Message #12 received at 902186@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + moreinfo
Control: severity -1 important
Heisann,
On Sat, Jun 23, 2018 at 10:45:39AM +0200, Moritz Muehlenhoff wrote:
> Package: phpldapadmin
> Severity: grave
> Tags: security
>
> Please see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689
I am triaging this bug report because of a request of a user to get
phpLDAPAdmin into testing again, and the maintainer seems to be unresponsive.
Doing so, I found that in my opinion, the CVE is invalid. Neither of the PoC
works.
PoC 1 (server_id parameter) does not work because the parameter is verified
using is_numeric before being passed on to anything special.
PoC 2 makes phpLDAPAdmin simply display "Invalid DN syntax for user".
No matter what, I was not able to get anything out of phpLDAPAdmin with the
information in the CVE and the refereces exploit. Thus, I am lowering the
priority of this bug report to important and asking you to provide more
information on how to produce the behaviour claimed in the CVE report.
Ha det bra,
Nik
Added tag(s) moreinfo.
Request was from Dominik George <natureshadow@debian.org>
to 902186-submit@bugs.debian.org
.
(Mon, 08 Oct 2018 18:57:05 GMT) (full text, mbox, link).
Severity set to 'important' from 'grave'
Request was from Dominik George <natureshadow@debian.org>
to 902186-submit@bugs.debian.org
.
(Mon, 08 Oct 2018 18:57:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Fabio Tranchitella <kobold@debian.org>
:
Bug#902186
; Package phpldapadmin
.
(Mon, 08 Oct 2018 20:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Fabio Tranchitella <kobold@debian.org>
.
(Mon, 08 Oct 2018 20:39:03 GMT) (full text, mbox, link).
Message #21 received at 902186@bugs.debian.org (full text, mbox, reply):
On Mon, Oct 08, 2018 at 08:55:35PM +0200, Dominik George wrote:
> Control: tags -1 + moreinfo
> Control: severity -1 important
>
> Heisann,
>
> On Sat, Jun 23, 2018 at 10:45:39AM +0200, Moritz Muehlenhoff wrote:
> > Package: phpldapadmin
> > Severity: grave
> > Tags: security
> >
> > Please see
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689
>
> I am triaging this bug report because of a request of a user to get
> phpLDAPAdmin into testing again, and the maintainer seems to be unresponsive.
>
> Doing so, I found that in my opinion, the CVE is invalid. Neither of the PoC
> works.
>
> PoC 1 (server_id parameter) does not work because the parameter is verified
> using is_numeric before being passed on to anything special.
>
> PoC 2 makes phpLDAPAdmin simply display "Invalid DN syntax for user".
>
> No matter what, I was not able to get anything out of phpLDAPAdmin with the
> information in the CVE and the refereces exploit. Thus, I am lowering the
> priority of this bug report to important and asking you to provide more
> information on how to produce the behaviour claimed in the CVE report.
We're just filing these bugs as they come in from MITRE, I don't even
use phpldapadmin and most probably never will.
I suggest you report this upstream and if they agree that it's confirmed to
be a non-issue, ask for a rejection via https://cveform.mitre.org/.
Cheers,
Moritz
Reply sent
to Antoine Beaupre <anarcat@debian.org>
:
You have taken responsibility.
(Wed, 31 Oct 2018 17:21:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Wed, 31 Oct 2018 17:21:03 GMT) (full text, mbox, link).
Message #26 received at 902186-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
[Adding original security researcher in CC.]
On Mon, Oct 08, 2018 at 08:55:35PM +0200, Dominik George wrote:
> Heisann,
>
> On Sat, Jun 23, 2018 at 10:45:39AM +0200, Moritz Muehlenhoff wrote:
> > Package: phpldapadmin
> > Severity: grave
> > Tags: security
> >
> > Please see
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689
>
> I am triaging this bug report because of a request of a user to get
> phpLDAPAdmin into testing again, and the maintainer seems to be unresponsive.
>
> Doing so, I found that in my opinion, the CVE is invalid. Neither of the PoC
> works.
>
> PoC 1 (server_id parameter) does not work because the parameter is verified
> using is_numeric before being passed on to anything special.
>
> PoC 2 makes phpLDAPAdmin simply display "Invalid DN syntax for user".
>
> No matter what, I was not able to get anything out of phpLDAPAdmin with the
> information in the CVE and the refereces exploit. Thus, I am lowering the
> priority of this bug report to important and asking you to provide more
> information on how to produce the behaviour claimed in the CVE report.
I can confirm that the issue is unreproducible in Debian jessie, with
package version 1.2.2. I have verified the code and I confirm that the
parameter is indeed checked.
1. Config->getServer($index) calls
2. Datastore->Instance($index) which does:
# If no index defined, then pick the lowest one.
if (is_null($index) || ! trim($index) || ! is_numeric($index))
$index = min($this->GetServerList())->getIndex();
3. Datastore->getIndex() returns the internally managed $index paramter
which is incremented when a new server is added to the datastore, in
Datastore->newServer()
I doubt there's any real security vulnerability here and will proceed to
get this rejected with Mitre, as advised. I will also update the
security tracker as appropriate.
M. Dusunur, if you disagree with this analysis, please provide more
solid evidence to back your claims that the vulnerability exists in PHP
LDAP admin.
A.
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 29 Nov 2018 07:30:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:30:03 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.