oss-sec mailing list archives
CVE Request -- phpLDAPadmin -- Local file inclusion flaw in "common.php" via "Accept-Language" HTTP header leading to DoS
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 27 Oct 2011 14:07:17 +0200
Hello Josh, Steve, vendors, a local file inclusion flaw was found in the way the phpLDAPadmin, a web based LDAP client for managing LDAP servers, processed certain values of the "Accept-Language" HTTP header. A remote attacker coulduse this flaw to cause a denial of service (generate recursive inclusions leading to resource exhaustion) via specially-crafted request.
Note: A different issue than CVE-2011-4075 (due the different attack vector and different source code file in question). References: [1] http://www.securityfocus.com/bid/50328/info Relevant exploit: [2] http://www.securityfocus.com/data/vulnerabilities/exploits/50328.java According to Dmitry, this issue should be fixed in upstream v0.9.8.5 version too. Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- phpLDAPadmin -- Local file inclusion flaw in "common.php" via "Accept-Language" HTTP header leading to DoS Jan Lieskovsky (Oct 27)