Public exploit · Metasploit Module

phpLDAPadmin query_engine Remote PHP Code Injection

Published Rocco Calvi

Exploit summary

This module exploits a vulnerability in lib/functions.php in phpLDAPadmin versions 1.2.1.1 and earlier that allows attacker input to be parsed directly to the create_function() PHP function, enabling remote code injection and execution.

Source & references