Debian Local Security Checks : Debian Security Advisory DSA 2333-1 (phpldapadmin)

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.70549

Kategorie: Debian Local Security Checks

Titel: Debian Security Advisory DSA 2333-1 (phpldapadmin)

Zusammenfassung: The remote host is missing an update to phpldapadmin;announced via advisory DSA 2333-1.

Beschreibung: Summary:
The remote host is missing an update to phpldapadmin
announced via advisory DSA 2333-1.

Vulnerability Insight:
Two vulnerabilities have been discovered in phpldapadmin, a web based
interface for administering LDAP servers. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2011-4074

Input appended to the URL in cmd.php (when cmd is set to _debug) is
not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.

CVE-2011-4075

Input passed to the orderby parameter in cmd.php (when cmd is set to
query_engine, query is set to none, and search is set to e.g.
1) is not properly sanitised in lib/functions.php before being used in a
create_function() function call. This can be exploited to inject and
execute arbitrary PHP code.

For the oldstable distribution (lenny), these problems have been fixed in
version 1.1.0.5-6+lenny2.

For the stable distribution (squeeze), these problems have been fixed in
version 1.2.0.5-2+squeeze1.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.2.0.5-2.1.

Solution:
We recommend that you upgrade your phpldapadmin packages.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2011-4075
BugTraq ID: 50331
http://www.securityfocus.com/bid/50331
Debian Security Information: DSA-2333 (Google Search)
http://www.debian.org/security/2011/dsa-2333
http://www.exploit-db.com/exploits/18021/
http://dev.metasploit.com/redmine/issues/5820
http://openwall.com/lists/oss-security/2011/10/24/9
http://openwall.com/lists/oss-security/2011/10/25/2
http://osvdb.org/76594
http://secunia.com/advisories/46551
http://secunia.com/advisories/46672
Common Vulnerability Exposure (CVE) ID: CVE-2011-4074
http://osvdb.org/76593

Copyright Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.70549
Kategorie:	Debian Local Security Checks
Titel:	Debian Security Advisory DSA 2333-1 (phpldapadmin)
Zusammenfassung:	The remote host is missing an update to phpldapadmin;announced via advisory DSA 2333-1.
Beschreibung:	Summary: The remote host is missing an update to phpldapadmin announced via advisory DSA 2333-1. Vulnerability Insight: Two vulnerabilities have been discovered in phpldapadmin, a web based interface for administering LDAP servers. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-4074 Input appended to the URL in cmd.php (when cmd is set to _debug) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. CVE-2011-4075 Input passed to the orderby parameter in cmd.php (when cmd is set to query_engine, query is set to none, and search is set to e.g. 1) is not properly sanitised in lib/functions.php before being used in a create_function() function call. This can be exploited to inject and execute arbitrary PHP code. For the oldstable distribution (lenny), these problems have been fixed in version 1.1.0.5-6+lenny2. For the stable distribution (squeeze), these problems have been fixed in version 1.2.0.5-2+squeeze1. For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.2.0.5-2.1. Solution: We recommend that you upgrade your phpldapadmin packages. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2011-4075 BugTraq ID: 50331 http://www.securityfocus.com/bid/50331 Debian Security Information: DSA-2333 (Google Search) http://www.debian.org/security/2011/dsa-2333 http://www.exploit-db.com/exploits/18021/ http://dev.metasploit.com/redmine/issues/5820 http://openwall.com/lists/oss-security/2011/10/24/9 http://openwall.com/lists/oss-security/2011/10/25/2 http://osvdb.org/76594 http://secunia.com/advisories/46551 http://secunia.com/advisories/46672 Common Vulnerability Exposure (CVE) ID: CVE-2011-4074 http://osvdb.org/76593
Copyright	Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com