On Mon, Oct 08, 2018 at 08:55:35PM +0200, Dominik George wrote: > Control: tags -1 + moreinfo > Control: severity -1 important > > Heisann, > > On Sat, Jun 23, 2018 at 10:45:39AM +0200, Moritz Muehlenhoff wrote: > > Package: phpldapadmin > > Severity: grave > > Tags: security > > > > Please see > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12689 > > I am triaging this bug report because of a request of a user to get > phpLDAPAdmin into testing again, and the maintainer seems to be unresponsive. > > Doing so, I found that in my opinion, the CVE is invalid. Neither of the PoC > works. > > PoC 1 (server_id parameter) does not work because the parameter is verified > using is_numeric before being passed on to anything special. > > PoC 2 makes phpLDAPAdmin simply display "Invalid DN syntax for user". > > No matter what, I was not able to get anything out of phpLDAPAdmin with the > information in the CVE and the refereces exploit. Thus, I am lowering the > priority of this bug report to important and asking you to provide more > information on how to produce the behaviour claimed in the CVE report.
We're just filing these bugs as they come in from MITRE, I don't even use phpldapadmin and most probably never will. I suggest you report this upstream and if they agree that it's confirmed to be a non-issue, ask for a rejection via https://cveform.mitre.org/. Cheers, Moritz
