Paketname
phpldapadmin
Datum
2011-11-02
Advisory ID
MDVSA-2011:163
Betroffene Versionen
MES5 i586 , MES5 x86_64

Problembeschreibung

Multiple vulnerabilities was discovered and corrected in phpldapadmin:

Input appended to the URL in cmd.php \(when cmd is set to _debug\)
is not properly sanitised before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site (CVE-2011-4074).

Input passed to the orderby parameter in cmd.php \(when cmd is set
to query_engine, query is set to none, and search is set to e.g. 1\)
is not properly sanitised in lib/functions.php before being used in
a create_function() function call. This can be exploited to inject
and execute arbitrary PHP code (CVE-2011-4075).

The updated packages have been upgraded to the latest version (1.2.2)
which is not vulnerable to these issues.

Aktualisierte Pakete

MES5 i586

 aa5dbb658ad22b4444c9d96ebf5ab78e  mes5/i586/phpldapadmin-1.2.2-0.1mdvmes5.2.noarch.rpm 
 0d59873f81f0d993591b4037514768f2  mes5/SRPMS/phpldapadmin-1.2.2-0.1mdvmes5.2.src.rpm

MES5 x86_64

 81cdc948bada750eb85795dd4c274c9b  mes5/x86_64/phpldapadmin-1.2.2-0.1mdvmes5.2.noarch.rpm 
 0d59873f81f0d993591b4037514768f2  mes5/SRPMS/phpldapadmin-1.2.2-0.1mdvmes5.2.src.rpm

Referenzen