lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201110231338.p9NDc9pG026242@sf01web2.securityfocus.com>
Date: Sun, 23 Oct 2011 13:38:09 GMT
From: n0b0d13s@...il.com
To: bugtraq@...urityfocus.com
Subject: phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection
 Exploit


phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit


author...............: EgiX
mail.................: n0b0d13s[at]gmail[dot]com
software link........: http://phpldapadmin.sourceforge.net/
affected versions....: from 1.2.0 to 1.2.1.1


[-] vulnerable code in /lib/functions.php

1002.    function masort(&$data,$sortby,$rev=0) {
1003.        if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
1004.            debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
1005.    
1006.        # if the array to sort is null or empty
1007.        if (! $data) return;
1008.    
1009.        static $CACHE = array();
1010.    
1011.        if (empty($CACHE[$sortby])) {
1012.            $code = "\$c=0;\n";
1013.    
1014.            foreach (explode(',',$sortby) as $key) {
1015.                $code .= "if (is_object(\$a) || is_object(\$b)) {\n";
1016.    
1017.                $code .= "    if (is_array(\$a->$key)) {\n";
1018.                $code .= "        asort(\$a->$key);\n";
1019.                $code .= "        \$aa = array_shift(\$a->$key);\n";

...

1078.            $code .= 'return $c;';
1079.    
1080.            $CACHE[$sortby] = create_function('$a, $b',$code);
1081.        }

The $sortby parameter passed to 'masort' function isn't properly sanitized before being used in a call to create_function()
at line 1080, this can be exploited to inject and execute arbitrary PHP code. The only possible attack vector is when handling
the 'query_engine' command, here input passed through $_REQUEST['orderby'] is passed as $sortby parameter to 'masort' function.


[-] Disclosure timeline:

[30/09/2011] - Vulnerability discovered
[02/10/2011] - Issue reported to http://sourceforge.net/support/tracker.php?aid=3417184
[05/10/2011] - Fix committed: http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;h=76e6dad
[23/10/2011] - Public disclosure


[-] Proof of concept:

http://www.exploit-db.com/exploits/18021/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ