LDAP Account Manager Local File Inclusion Vulnerability in PDF Export Allowing Arbitrary Code Execution

A local file inclusion vulnerability has been identified in the PDF export feature of LDAP Account Manager (LAM) versions prior to 9.5. This vulnerability allows authenticated users to include local PHP files, which can lead to code execution. The issue arises from improper validation of uploaded file extensions, enabling the upload of any file type, including PHP files. When combined with another vulnerability (GHSA-88hf-2cjm-m9g8), this could result in remote code execution as the web server user.

Impact

Exploitation of this vulnerability allows authenticated users to include local PHP files in the PDF export component, potentially executing arbitrary code on the server. This could lead to unauthorized access or manipulation of server-side resources and data.

Remediation

Users are advised to upgrade to LAM version 9.5, which addresses this vulnerability. Instructions for downloading the latest version are available on the LDAP Account Manager GitHub Releases page. As an interim measure, the directory containing LAM's configuration files can be made read-only for the web server user, and the PDF profile files can be deleted to prevent PDF exports.