Bug 21370 - phpldapadmin new security issue CVE-2017-11107
Summary: phpldapadmin new security issue CVE-2017-11107
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5TOO advisory MGA5-64-OK MGA6-64-OK
Keywords: validated_update
Depends on:
Reported: 2017-07-27 02:46 CEST by David Walser
Modified: 2017-08-15 11:58 CEST (History)
3 users (show)

See Also:
Source RPM: phpldapadmin-1.2.3-7.mga6.src.rpm
Status comment:


Description David Walser 2017-07-27 02:46:35 CEST
Fedora has issued an advisory on July 24:

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-07-27 02:46:43 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-07-27 17:54:07 CEST
Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.


Updated phpldapadmin package fixes security vulnerability:

phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the form,
element, rdn, or container parameter (CVE-2017-11107).


Updated packages in core/updates_testing:

from SRPMS:

Assignee: bugsquad => qa-bugs
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Lewis Smith 2017-07-28 10:42:14 CEST

Whiteboard: MGA5TOO => MGA5TOO advisory
CC: (none) => lewyssmith

Comment 2 Herman Viaene 2017-08-03 16:09:56 CEST
MGA6-32 on Asus A6000VM MATE
Installation: no dependencies drawn in, but slapd is not installed, so manual fiddling necessary. LDAP administration is unknown territory for me.

CC: (none) => herman.viaene

Comment 3 claire robinson 2017-08-03 19:51:16 CEST
Testing mga5 64 as far as ensuring the phpldapadmin login page is available at..


No idea how to configure openldap to actually be able to log in there though.

Any pointers?
Comment 4 Lewis Smith 2017-08-14 21:44:57 CEST
Probing M5_64

Project site, actually rather good:
has important advice about config file example & updates. The real one is at

BEFORE the update:
Comment 5 Lewis Smith 2017-08-14 22:02:59 CEST
[damo] phpldapadmin-1.2.3-5.mga5
and (thanks Claire)
 http://localhost/phpldapadmin ->
shows a nice "php/LDAP/admin" page.

"The config.php file must be in the config/ directory. An example config.php file is provided with the PLA source code - it is called config.php.example and you will also find it in the config/ directory. You should copy or rename this file to config.php before you use PLA for the first time.
Each new release will only update the config.php.example file and you may need to merge the updates to your config.php to take advantage of any new features and functions."
No sign of config.php.example; nor anything in /usr/share/[doc/].

Going for a clean update only: phpldapadmin-1.2.3-5.1.mga5
Again no sign of config.php.example . /etc/phpldapadmin/config.php does not seem to have been touched.
http://localhost/phpldapadmin shows the same page as previously.
Enough for an OK, since we have no time currently to explore this thing.

Whiteboard: MGA5TOO advisory => MGA5TOO advisory MGA5-64-OK

Comment 6 Lewis Smith 2017-08-15 08:56:56 CEST
Testing Mageia 6 x64

BEFORE the update: phpldapadmin-1.2.3-7.mga6
(installing which pulled in 30 pkgs, Apache included; had to start that).
 http://localhost/phpldapadmin showed the usual "php/LDAP/admin" page.

 # ls -l /etc/phpldapadmin/
 -rw-r----- 1 root apache 24994 Hyd  13  2016 config.php

AFTER update to: phpldapadmin-1.2.3-7.1.mga6
 # ls -l /etc/phpldapadmin/
 -rw-r----- 1 root apache 24994 Gor  27 17:40 config.php
so I was probably wrong about this in my Comment 5. It looks like the config file is replaced by the update, but has exactly the same size.

 http://localhost/phpldapadmin shows the usual page, + the additional comment:
"Configuration cache stale.
Your configuration has been automatically refreshed."
(which again I may have overlooked in Comment 5).

Good enough for an OK. Validating also, both releases done.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA5TOO advisory MGA5-64-OK => MGA5TOO advisory MGA5-64-OK MGA6-64-OK

Comment 7 Mageia Robot 2017-08-15 11:58:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.