Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LAM vulnerable to Authenticated Remote Code Execution
Vulnerability Description
LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM's master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
LDAP Account Manager 注入漏洞
Vulnerability Description
LDAP Account Manager是一个 Web 前端,用于管理存储在 LDAP 目录中的条目(例如用户、组、DHCP 设置)。 LDAP Account Manager (LAM) 8.7之前版本存在安全漏洞,该漏洞源于日志配置允许为日志文件指定任意路径,攻击者利用该漏洞可以将一些 PHP 代码记录到日志文件中,当通过网络访问该文件时,代码将被执行。
CVSS Information
N/A
Vulnerability Type
N/A