phpLDAPadmin <= (lib/functions.php) PHP Code Injection Vulnerability


phpLDAPadmin contains a flaw related to the lib/functions.php script which fails to properly sanitize user-supplied input passed to the cmd.php script via the ‘orderby’ parameter before use it in a call to the create_function() PHP function. This allows a remote attacker to inject and execute arbitrary PHP code.


Disclosure Date:

October 23, 2011