[Full-disclosure] [SECURITY] [DSA 2333-1] phpldapadmin security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-2333-1 security@xxxxxxxxxx
http://www.debian.org/security/ Jonathan Wiltshire
Oct 31th, 2011 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : phpldapadmin
Vulnerability : several
Problem type : remote
Debian-specific: no
Debian bug : 646754
CVE IDs : CVE-2011-4075 CVE-2011-4074

Two vulnerabilities have been discovered in phpldapadmin, a web based
interface for administering LDAP servers. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2011-4074

Input appended to the URL in cmd.php (when "cmd" is set to "_debug") is
not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.

CVE-2011-4075

Input passed to the "orderby" parameter in cmd.php (when "cmd" is set to
"query_engine", "query" is set to "none", and "search" is set to e.g.
"1") is not properly sanitised in lib/functions.php before being used in a
"create_function()" function call. This can be exploited to inject and
execute arbitrary PHP code.


For the oldstable distribution (lenny), these problems have been fixed in
version 1.1.0.5-6+lenny2.

For the stable distribution (squeeze), these problems have been fixed in
version 1.2.0.5-2+squeeze1.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.2.0.5-2.1.

We recommend that you upgrade your phpldapadmin packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk6tQ0EACgkQHYflSXNkfP+uCQCeMmNGTEsYJURFndG0Vj7LAicH
qhMAnili/N36OYURQYkY/Bbd873EtlLm
=8Zwg
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] [SECURITY] [DSA 2666-1] xen security update
    ... Multiple vulnerabilities have been discovered in the Xen hypervisor. ... CVE-2013-1964 grant table hypercall acquire/release imbalance ... For the oldstable distribution, these problems have been fixed in ... Further information about Debian Security Advisories, ...
    (Full-Disclosure)
  • [SECURITY] [DSA 2666-1] xen security update
    ... Multiple vulnerabilities have been discovered in the Xen hypervisor. ... CVE-2013-1964 grant table hypercall acquire/release imbalance ... For the oldstable distribution, these problems have been fixed in ... Further information about Debian Security Advisories, ...
    (Bugtraq)
  • [Full-disclosure] [SECURITY] [DSA-1976-1] New dokuwiki packages fix several vulnerabilit
    ... Debian bugs: 565406 ... Several vulnerabilities have been discovered in dokuwiki, ... The oldstable distribution is not affected by these problems. ... Size/MD5 checksum: 1104 87bff5f8b651532561c5c6b0454ef37a ...
    (Full-Disclosure)
  • [SECURITY] [DSA-1976-1] New dokuwiki packages fix several vulnerabilities
    ... Debian bugs: 565406 ... Several vulnerabilities have been discovered in dokuwiki, ... The oldstable distribution is not affected by these problems. ... Size/MD5 checksum: 1104 87bff5f8b651532561c5c6b0454ef37a ...
    (Bugtraq)
  • [SECURITY] [DSA 2333-1] phpldapadmin security update
    ... Two vulnerabilities have been discovered in phpldapadmin, ... For the oldstable distribution, these problems have been fixed in ... We recommend that you upgrade your phpldapadmin packages. ... Further information about Debian Security Advisories, ...
    (Bugtraq)