CVE-2024-52792

Name of the Vulnerable Software and Affected Versions LDAP Account Manager (LAM) versions prior to 9.0

Description LDAP Account Manager (LAM) is a php webfrontend for managing entries stored in an LDAP directory. In affected versions, LAM does not properly sanitize configuration values set via mainmanage.php and confmain.php, allowing an attacker to set arbitrary config values. This can be achieved by inserting a newline into certain config fields, followed by the value, effectively smuggling arbitrary config values into a config file. The values are written to config.cfg or serverprofile.conf in the format of settingsName: settingsValue line-by-line.

Recommendations For versions prior to 9.0, upgrade to version 9.0 to address the issue. As a temporary workaround, consider restricting access to mainmanage.php and confmain.php to minimize the risk of exploitation. Avoid using the settingsName and settingsValue fields in the affected configuration files until the issue is resolved.