Debian Bug report logs - #902186
CVE-2018-12689

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2018-12689

Date: Sat, 23 Jun 2018 10:45:39 +0200

Package: phpldapadmin
Severity: grave
Tags: security

Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689

Cheers,
        Moritz

Message #12 received at 902186@bugs.debian.org (full text, mbox, reply):

From: Dominik George <natureshadow@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>

Cc: Debian Bug Tracking System <902186@bugs.debian.org>

Subject: Re: CVE-2018-12689

Date: Mon, 8 Oct 2018 20:55:35 +0200

Control: tags -1 + moreinfo
Control: severity -1 important

Heisann,

On Sat, Jun 23, 2018 at 10:45:39AM +0200, Moritz Muehlenhoff wrote:
> Package: phpldapadmin
> Severity: grave
> Tags: security
> 
> Please see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689

I am triaging this bug report because of a request of a user to get
phpLDAPAdmin into testing again, and the maintainer seems to be unresponsive.

Doing so, I found that in my opinion, the CVE is invalid. Neither of the PoC
works.

 PoC 1 (server_id parameter) does not work because the parameter is verified
 using is_numeric before being passed on to anything special.

 PoC 2 makes phpLDAPAdmin simply display "Invalid DN syntax for user".

No matter what, I was not able to get anything out of phpLDAPAdmin with the
information in the CVE and the refereces exploit. Thus, I am lowering the
priority of this bug report to important and asking you to provide more
information on how to produce the behaviour claimed in the CVE report.

Ha det bra,
Nik

Message #21 received at 902186@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Dominik George <natureshadow@debian.org>

Cc: Debian Bug Tracking System <902186@bugs.debian.org>

Subject: Re: CVE-2018-12689

Date: Mon, 8 Oct 2018 22:35:25 +0200

On Mon, Oct 08, 2018 at 08:55:35PM +0200, Dominik George wrote:
> Control: tags -1 + moreinfo
> Control: severity -1 important
> 
> Heisann,
> 
> On Sat, Jun 23, 2018 at 10:45:39AM +0200, Moritz Muehlenhoff wrote:
> > Package: phpldapadmin
> > Severity: grave
> > Tags: security
> > 
> > Please see
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689
> 
> I am triaging this bug report because of a request of a user to get
> phpLDAPAdmin into testing again, and the maintainer seems to be unresponsive.
> 
> Doing so, I found that in my opinion, the CVE is invalid. Neither of the PoC
> works.
> 
>  PoC 1 (server_id parameter) does not work because the parameter is verified
>  using is_numeric before being passed on to anything special.
> 
>  PoC 2 makes phpLDAPAdmin simply display "Invalid DN syntax for user".
> 
> No matter what, I was not able to get anything out of phpLDAPAdmin with the
> information in the CVE and the refereces exploit. Thus, I am lowering the
> priority of this bug report to important and asking you to provide more
> information on how to produce the behaviour claimed in the CVE report.

We're just filing these bugs as they come in from MITRE, I don't even
use phpldapadmin and most probably never will.

I suggest you report this upstream and if they agree that it's confirmed to
be a non-issue, ask for a rejection via https://cveform.mitre.org/.

Cheers,
        Moritz

Message #26 received at 902186-done@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>

To: Dominik George <natureshadow@debian.org>, 902186-done@bugs.debian.org

Cc: Berk Dusunur <berkdusunurx@gmail.com>

Subject: Re: Bug#902186: CVE-2018-12689

Date: Wed, 31 Oct 2018 13:17:13 -0400

[Message part 1 (text/plain, inline)]

Hi,

[Adding original security researcher in CC.]

On Mon, Oct 08, 2018 at 08:55:35PM +0200, Dominik George wrote:
> Heisann,
> 
> On Sat, Jun 23, 2018 at 10:45:39AM +0200, Moritz Muehlenhoff wrote:
> > Package: phpldapadmin
> > Severity: grave
> > Tags: security
> > 
> > Please see
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689
> 
> I am triaging this bug report because of a request of a user to get
> phpLDAPAdmin into testing again, and the maintainer seems to be unresponsive.
> 
> Doing so, I found that in my opinion, the CVE is invalid. Neither of the PoC
> works.
> 
>  PoC 1 (server_id parameter) does not work because the parameter is verified
>  using is_numeric before being passed on to anything special.
> 
>  PoC 2 makes phpLDAPAdmin simply display "Invalid DN syntax for user".
> 
> No matter what, I was not able to get anything out of phpLDAPAdmin with the
> information in the CVE and the refereces exploit. Thus, I am lowering the
> priority of this bug report to important and asking you to provide more
> information on how to produce the behaviour claimed in the CVE report.

I can confirm that the issue is unreproducible in Debian jessie, with
package version 1.2.2. I have verified the code and I confirm that the
parameter is indeed checked.

 1. Config->getServer($index) calls

 2. Datastore->Instance($index) which does:

		# If no index defined, then pick the lowest one.
		if (is_null($index) || ! trim($index) || ! is_numeric($index))
			$index = min($this->GetServerList())->getIndex();

 3. Datastore->getIndex() returns the internally managed $index paramter
    which is incremented when a new server is added to the datastore, in
    Datastore->newServer()

I doubt there's any real security vulnerability here and will proceed to
get this rejected with Mitre, as advised. I will also update the
security tracker as appropriate.

M. Dusunur, if you disagree with this analysis, please provide more
solid evidence to back your claims that the vulnerability exists in PHP
LDAP admin.

A.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.