On Mon, Oct 08, 2018 at 08:55:35PM +0200, Dominik George wrote:
> Control: tags -1 + moreinfo
> Control: severity -1 important
>
> Heisann,
>
> On Sat, Jun 23, 2018 at 10:45:39AM +0200, Moritz Muehlenhoff wrote:
> > Package: phpldapadmin
> > Severity: grave
> > Tags: security
> >
> > Please see
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689
>
> I am triaging this bug report because of a request of a user to get
> phpLDAPAdmin into testing again, and the maintainer seems to be unresponsive.
>
> Doing so, I found that in my opinion, the CVE is invalid. Neither of the PoC
> works.
>
> PoC 1 (server_id parameter) does not work because the parameter is verified
> using is_numeric before being passed on to anything special.
>
> PoC 2 makes phpLDAPAdmin simply display "Invalid DN syntax for user".
>
> No matter what, I was not able to get anything out of phpLDAPAdmin with the
> information in the CVE and the refereces exploit. Thus, I am lowering the
> priority of this bug report to important and asking you to provide more
> information on how to produce the behaviour claimed in the CVE report.
We're just filing these bugs as they come in from MITRE, I don't even
use phpldapadmin and most probably never will.
I suggest you report this upstream and if they agree that it's confirmed to
be a non-issue, ask for a rejection via https://cveform.mitre.org/.
Cheers,
Moritz
