LDAP Account Manager PDF Export Component File Upload Vulnerability Allowing Remote Code Execution

A vulnerability in the PDF export component of LDAP Account Manager (LAM) versions prior to 9.5 allows for improper validation of uploaded file extensions. This flaw enables the upload of any file type, including PHP files. Exploiting this vulnerability can lead to local file inclusion (LFI) and, when combined with another vulnerability in LAM, remote code execution as the web server user. The issue arises in deployments where users can log into LAM's admin interface or config import.

Impact

The vulnerability allows authenticated users to upload arbitrary files, which can be exploited to include local PHP files and execute code, resulting in remote code execution as the web server user.

Remediation

Users are advised to upgrade to LAM version 9.5. If an upgrade is not possible, the /var/lib/ldap-account-manager/config directory can be made read-only for the web server user to prevent exploitation.