oss-sec mailing list archives

CVE Request -- phpLDAPadmin -- Local file inclusion flaw in "common.php" via "Accept-Language" HTTP header leading to DoS

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 27 Oct 2011 14:07:17 +0200

Hello Josh, Steve, vendors,

  a local file inclusion flaw was found in the way the phpLDAPadmin,
a web based LDAP client for managing LDAP servers, processed certain
values of the "Accept-Language" HTTP header. A remote attacker could

use this flaw to cause a denial of service (generate recursiveinclusions leading to resource exhaustion) via specially-crafted request.


Note: A different issue than CVE-2011-4075 (due the different
      attack vector and different source code file in question).

References:
[1] http://www.securityfocus.com/bid/50328/info

Relevant exploit:
[2] http://www.securityfocus.com/data/vulnerabilities/exploits/50328.java

According to Dmitry, this issue should be fixed in upstream v0.9.8.5
version too.

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- phpLDAPadmin -- Local file inclusion flaw in "common.php" via "Accept-Language" HTTP header leading to DoS Jan Lieskovsky (Oct 27)
- Re: CVE Request -- phpLDAPadmin -- Local file inclusion flaw in "common.php" via "Accept-Language" HTTP header leading to DoS Kurt Seifried (Oct 27)