Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities in phpLDAPadmin - Please get in touch #274

Open
anpfeff opened this issue Aug 20, 2024 · 7 comments
Open

Security Vulnerabilities in phpLDAPadmin - Please get in touch #274

anpfeff opened this issue Aug 20, 2024 · 7 comments
Labels
old Old version of PLA, may not be fixed.

Comments

@anpfeff
Copy link

anpfeff commented Aug 20, 2024

Dear @leenooks,

I would like to kindly ask you to get in touch with me regarding the security vulnerabilities I reported to you on 2024-07-29 via email. In addition, I suggest that a security.md file is created in this repository in order to simplify the process of reporting phpLDAPadmin vulnerabilities.

I am always happy to help if you need advice for implementing the security fixes.

Best,
Andreas
@anpfeff
Copy link
Author

anpfeff commented Sep 26, 2024

Hi @leenooks,

As I have not received any replies to my emails on 2024-07-29, 2024-08-11, nor 2024-09-12, I will try it again via this issue: Please get in touch with me regarding the security vulnerabilities I informed you about in my initial email. Do you have any questions or can I help you in preparing the fixes? I would be happy to assist you. Please note that we have a policy to inform the public about vulnerabilities within 90 days (as explained in my initial email). In this case, we would publish the security advisories towards the end of October.

@williamdes
Copy link

If no reply please reach out to [email protected] so I can prepare the security release for Debian

@williamdes williamdes mentioned this issue Nov 26, 2024
Closed
@anpfeff
Copy link
Author

anpfeff commented Dec 19, 2024

We published the security advisory today: https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/

@williamdes
Copy link

We published the security advisory today: https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/

Thank you, I am forwarding this to Debian security
and will process your emails, thank you so much
And sorry for the delay
this is very well written!

@williamdes
Copy link

https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c32f9dd

@cfi-gb
Copy link

cfi-gb commented Dec 23, 2024

For tracking purposes (so that this is getting easier found), there seems to be the following two CVEs assigned now:

@leenooks leenooks added the old Old version of PLA, may not be fixed. label Jan 13, 2025
@leenooks
Copy link
Owner

PLA v1.x is deprecated and no more development work will be applied against it. All focus is bring v2 to life. That said, I recommend providing a pull request to address any vulnerabilities, so that other users who continue to use v1.2 may apply it to address them. If there are multiple requests to merge the pull request to BRANCH-1.2, I'll merge it, however, they will not be reviewed, tested nor validated.

CVE-2024-9102 is ridiculous and wont be addressed.
If LDAP administrators choose to put bad data in their LDAP server (eg: rm -rf /*) and then choose to export that data and use it in a third party tool (eg: bash), they do so understanding their may be a risk and consequence of using that data without understanding what the 3rd party tool may do with it.

It is not the intention of PLA to control what data Administrators can put in their LDAP database, nor filter it on export.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
old Old version of PLA, may not be fixed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@leenooks @williamdes @anpfeff @cfi-gb