Security Vulnerabilities in phpLDAPadmin - Please get in touch

[anpfeff]

Dear @leenooks,

I would like to kindly ask you to get in touch with me regarding the security vulnerabilities I reported to you on 2024-07-29 via email. In addition, I suggest that a security.md file is created in this repository in order to simplify the process of reporting phpLDAPadmin vulnerabilities.

I am always happy to help if you need advice for implementing the security fixes.

Best,
Andreas

[anpfeff]

Hi @leenooks,

As I have not received any replies to my emails on 2024-07-29, 2024-08-11, nor 2024-09-12, I will try it again via this issue: Please get in touch with me regarding the security vulnerabilities I informed you about in my initial email. Do you have any questions or can I help you in preparing the fixes? I would be happy to assist you. Please note that we have a policy to inform the public about vulnerabilities within 90 days (as explained in my initial email). In this case, we would publish the security advisories towards the end of October.

[williamdes]

If no reply please reach out to williamdes@wdes.fr so I can prepare the security release for Debian

[anpfeff]

We published the security advisory today: https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/

[williamdes]

We published the security advisory today: https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/

Thank you, I am forwarding this to Debian security
and will process your emails, thank you so much
And sorry for the delay
this is very well written!

[williamdes]

https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c32f9dd

[cfi-gb]

For tracking purposes (so that this is getting easier found), there seems to be the following two CVEs assigned now:

• CVE-2024-9101
• CVE-2024-9102

[leenooks]

PLA v1.x is deprecated and no more development work will be applied against it. All focus is bring v2 to life. That said, I recommend providing a pull request to address any vulnerabilities, so that other users who continue to use v1.2 may apply it to address them. If there are multiple requests to merge the pull request to BRANCH-1.2, I'll merge it, however, they will not be reviewed, tested nor validated.

CVE-2024-9102 is ridiculous and wont be addressed.
If LDAP administrators choose to put bad data in their LDAP server (eg: rm -rf /*) and then choose to export that data and use it in a third party tool (eg: bash), they do so understanding their may be a risk and consequence of using that data without understanding what the 3rd party tool may do with it.

It is not the intention of PLA to control what data Administrators can put in their LDAP database, nor filter it on export.

[williamdes]

I am pushing the patch for CVE-2024-9101 into Debian: https://sources.debian.org/src/phpldapadmin/1.2.6.7-4/debian/patches/CVE-2024-9101.patch/

Patch: https://salsa.debian.org/php-team/pear/phpldapadmin/-/commit/11e1b33119c8d6062b70e8f170e6bc53fb91934e

And agree that CVE-2024-9102 is not for for this project to fix it. Can it be rejected at "Switzerland Government Common Vulnerability Program" ?

[leenooks]

Yeah, I dont know how to respond directly to these CVEs, but if somebody wants to do that, or reference this ticket, happy for them to do so.

[cfi-gb]

In generally if some one wants to dispute or directly ask Mitre to reject a specific CVE the following form can be used:

https://cveform.mitre.org/

In this particular case it seems Mitre is not the CNA but the "Switzerland Government Common Vulnerability Program" according to https://nvd.nist.gov/vuln/detail/CVE-2024-9102, and AFAICT for such cases the CNA needs to be contacted directly after looking up the contact address here:

https://www.cve.org/ReportRequest/ReportRequestForNonCNAs#UpdateCVERecord

[carnil]

I mailed the CNA since was not sure if anybody did already.

[carnil]

I mailed the CNA since was not sure if anybody did already.

FWIW: The CVE got marked as "disputed" now.