phpLDAPadmin query_engine Remote PHP Code Injection
Rocco Calvi
- Affected Vendor
- phpLDAPadmin
- Affected Product
- phpLDAPadmin
- Exploit Type
- Metasploit Module
- Metasploit Module
exploit/multi/http/phpldapadmin_query_engine
Description
This module exploits a vulnerability in lib/functions.php in phpLDAPadmin versions 1.2.1.1 and earlier that allows attacker input to be parsed directly to the create_function() PHP function, enabling remote code injection and execution.