The $sortby parameter passed to 'masort' function isn't properly sanitized before being used in a call to create_function()
at line 1080, this can be exploited to inject and execute arbitrary PHP code. The only possible attack vector is when handling
the 'query_engine' command, here input passed through $_REQUEST['orderby'] is passed as $sortby parameter to 'masort' function.
[-] Disclosure timeline:
[30/09/2011] - Vulnerability discovered
[02/10/2011] - Issue reported to http://sourceforge.net/support/tracker.php?aid=3417184
[05/10/2011] - Fix committed: http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;h=76e6dad
[23/10/2011] - Public disclosure
[-] Proof of concept:
http://www.exploit-db.com/exploits/18021/
{"id": "SECURITYVULNS:DOC:27266", "bulletinFamily": "software", "title": "phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit", "description": "\r\nphpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit\r\n\r\n\r\nauthor...............: EgiX\r\nmail.................: n0b0d13s[at]gmail[dot]com\r\nsoftware link........: http://phpldapadmin.sourceforge.net/\r\naffected versions....: from 1.2.0 to 1.2.1.1\r\n\r\n\r\n[-] vulnerable code in /lib/functions.php\r\n\r\n1002. function masort(&$data,$sortby,$rev=0) {\r\n1003. if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))\r\n1004. debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);\r\n1005. \r\n1006. # if the array to sort is null or empty\r\n1007. if (! $data) return;\r\n1008. \r\n1009. static $CACHE = array();\r\n1010. \r\n1011. if (empty($CACHE[$sortby])) {\r\n1012. $code = "\$c=0;\n";\r\n1013. \r\n1014. foreach (explode(',',$sortby) as $key) {\r\n1015. $code .= "if (is_object(\$a) || is_object(\$b)) {\n";\r\n1016. \r\n1017. $code .= " if (is_array(\$a->$key)) {\n";\r\n1018. $code .= " asort(\$a->$key);\n";\r\n1019. $code .= " \$aa = array_shift(\$a->$key);\n";\r\n\r\n..\r\n\r\n1078. $code .= 'return $c;';\r\n1079. \r\n1080. $CACHE[$sortby] = create_function('$a, $b',$code);\r\n1081. }\r\n\r\nThe $sortby parameter passed to 'masort' function isn't properly sanitized before being used in a call to create_function()\r\nat line 1080, this can be exploited to inject and execute arbitrary PHP code. The only possible attack vector is when handling\r\nthe 'query_engine' command, here input passed through $_REQUEST['orderby'] is passed as $sortby parameter to 'masort' function.\r\n\r\n\r\n[-] Disclosure timeline:\r\n\r\n[30/09/2011] - Vulnerability discovered\r\n[02/10/2011] - Issue reported to http://sourceforge.net/support/tracker.php?aid=3417184\r\n[05/10/2011] - Fix committed: http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;h=76e6dad\r\n[23/10/2011] - Public disclosure\r\n\r\n\r\n[-] Proof of concept:\r\n\r\nhttp://www.exploit-db.com/exploits/18021/\r\n", "published": "2011-11-06T00:00:00", "modified": "2011-11-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27266", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:42", "edition": 1, "viewCount": 12, "enchantments": {"score": {"value": 2.3, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12022"]}]}, "exploitation": null, "vulnersScore": 2.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
