phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit

2011-11-06T00:00:00
ID SECURITYVULNS:DOC:27266
Type securityvulns
Reporter Securityvulns
Modified 2011-11-06T00:00:00

Description

phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit

author...............: EgiX mail.................: n0b0d13s[at]gmail[dot]com software link........: http://phpldapadmin.sourceforge.net/ affected versions....: from 1.2.0 to 1.2.1.1

[-] vulnerable code in /lib/functions.php

  1. function masort(&$data,$sortby,$rev=0) {
  2. if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
  3. debug_log('Entered (%%)',1,0,FILE,LINE,METHOD,$fargs);
  4. if the array to sort is null or empty

  5. if (! $data) return;
  6. static $CACHE = array();
  7. if (empty($CACHE[$sortby])) {
  8. $code = "\$c=0;\n";
  9. foreach (explode(',',$sortby) as $key) {
  10. $code .= "if (is_object(\$a) || is_object(\$b)) {\n";
  11. $code .= " if (is_array(\$a->$key)) {\n";
  12. $code .= " asort(\$a->$key);\n";
  13. $code .= " \$aa = array_shift(\$a->$key);\n";

..

  1. $code .= 'return $c;';
  2. $CACHE[$sortby] = create_function('$a, $b',$code);
  3. }

The $sortby parameter passed to 'masort' function isn't properly sanitized before being used in a call to create_function() at line 1080, this can be exploited to inject and execute arbitrary PHP code. The only possible attack vector is when handling the 'query_engine' command, here input passed through $_REQUEST['orderby'] is passed as $sortby parameter to 'masort' function.

[-] Disclosure timeline:

[30/09/2011] - Vulnerability discovered [02/10/2011] - Issue reported to http://sourceforge.net/support/tracker.php?aid=3417184 [05/10/2011] - Fix committed: http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;h=76e6dad [23/10/2011] - Public disclosure

[-] Proof of concept:

http://www.exploit-db.com/exploits/18021/