phpLDAPadmin <= 1.2.1.1 (lib/functions.php) PHP Code Injection Vulnerability

Description:

phpLDAPadmin contains a flaw related to the lib/functions.php script which fails to properly sanitize user-supplied input passed to the cmd.php script via the ‘orderby’ parameter before use it in a call to the create_function() PHP function. This allows a remote attacker to inject and execute arbitrary PHP code.

References:

• CVE-2011-4075
• BID-50331
• EDB-18021

Disclosure Date:

October 23, 2011