Control: tags -1 + moreinfo Control: severity -1 important Heisann,
On Sat, Jun 23, 2018 at 10:45:39AM +0200, Moritz Muehlenhoff wrote: > Package: phpldapadmin > Severity: grave > Tags: security > > Please see > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689 I am triaging this bug report because of a request of a user to get phpLDAPAdmin into testing again, and the maintainer seems to be unresponsive. Doing so, I found that in my opinion, the CVE is invalid. Neither of the PoC works. PoC 1 (server_id parameter) does not work because the parameter is verified using is_numeric before being passed on to anything special. PoC 2 makes phpLDAPAdmin simply display "Invalid DN syntax for user". No matter what, I was not able to get anything out of phpLDAPAdmin with the information in the CVE and the refereces exploit. Thus, I am lowering the priority of this bug report to important and asking you to provide more information on how to produce the behaviour claimed in the CVE report. Ha det bra, Nik