LDAP Account Manager Vulnerability: Arbitrary Code Execution via Log Configuration

CVE-2024-23333

What is CVE-2024-23333?

LDAP Account Manager (LAM) is a web frontend designed for the management of entries within an LDAP directory. A vulnerability exists in its log configuration settings, where prior to version 8.7, an attacker could define arbitrary file paths for log outputs. By exploiting this, an attacker could create a PHP file that LAM inadvertently logs PHP code to. If the crafted log file is accessed through a web server, the embedded PHP code would execute, potentially compromising the application and the underlying server. This vulnerability requires the attacker to have knowledge of LAM's master configuration password to alter main settings, in addition to the necessity for the web server to have write access to a publicly accessible directory, which LAM normally does not create. The flaw has been rectified in the 8.7 release, and as a precautionary measure, restricting access to LAM's configuration pages to authorized users is recommended.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References