CVE-2006-2016

Name of the Vulnerable Software and Affected Versions phpLDAPadmin versions 0.9.8 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several parameters and fields in different PHP files, including the dn parameter in files such as compare form.php, copy form.php, rename form.php, template engine.php, and delete form.php, the scope parameter in search.php, and the Container DN, Machine Name, and UID Number fields in template engine.php. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For phpLDAPadmin versions 0.9.8 and earlier, consider disabling the vulnerable parameters and fields, such as the dn parameter in compare form.php, copy form.php, rename form.php, template engine.php, and delete form.php, the scope parameter in search.php, and the Container DN, Machine Name, and UID Number fields in template engine.php, until a patch is available. Restrict access to the affected PHP files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.