CVE-2022-31087 is a vulnerability identified in LDAP Account Manager (LAM), a web-based frontend used for managing LDAP directory entries such as users, groups, and DHCP settings. The issue affects versions prior to 8.0 and stems from improper neutralization of special elements in output, classified under CWE-74 (Injection). Specifically, the vulnerability arises because the temporary directory used by LAM (/lam/tmp/), which is accessible via the web, allows execution of PHP scripts including .php, .php5, .php4, .phpt, and similar extensions. An attacker who has the capability to write files with www-data privileges (the typical web server user) can upload a malicious PHP web shell into this tmp directory. Once uploaded, the attacker can execute arbitrary code on the host server, effectively gaining remote code execution (RCE). This can lead to full system compromise depending on the privileges of the www-data user and the server configuration. The vulnerability was addressed and fixed in LAM version 8.0. For users who cannot upgrade immediately, a recommended mitigation is to disallow execution of PHP scripts in the tmp directory (commonly located at /var/lib/ldap-account-manager/tmp), for example by configuring the web server to deny PHP execution in that path. There are no known exploits in the wild reported to date, but the vulnerability presents a significant risk due to the potential for RCE if an attacker can write files to the tmp directory. The root cause is the unsafe handling of file uploads and execution permissions in a web-accessible directory, which is a common vector for injection and code execution attacks in web applications.

For European organizations using LDAP Account Manager versions prior to 8.0, this vulnerability poses a medium to high risk. The ability to upload and execute arbitrary PHP code on the server can lead to full compromise of the host system, including unauthorized access to sensitive LDAP directory data such as user credentials, group memberships, and network configuration details. This could facilitate further lateral movement within corporate networks, data exfiltration, or disruption of directory services critical for authentication and authorization. Given that LDAP is a core component in many enterprise identity and access management infrastructures, exploitation could impact confidentiality, integrity, and availability of user and system accounts. The impact is particularly severe in environments where the www-data user has elevated privileges or where the server hosts other critical services. Additionally, compromised LDAP data can undermine trust in identity management, affecting compliance with GDPR and other data protection regulations in Europe. Although no public exploits are known, the ease of exploitation for attackers with write access to the tmp directory means that insider threats or attackers who have gained limited access could escalate privileges rapidly.

1. Upgrade LDAP Account Manager to version 8.0 or later immediately to apply the official fix. 2. If upgrading is not feasible in the short term, explicitly configure the web server (e.g., Apache or Nginx) to disable execution of PHP scripts in the tmp directory used by LAM. This can be done by setting appropriate 'php_admin_flag engine off' or equivalent directives for that directory. 3. Restrict file write permissions to the tmp directory to only trusted processes and users, minimizing the risk of unauthorized file uploads. 4. Implement strict input validation and sanitization on any file upload or management interfaces to prevent injection of malicious code. 5. Monitor web server logs and file system changes in the tmp directory for suspicious activity indicative of web shell uploads or execution attempts. 6. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block anomalous PHP execution patterns. 7. Conduct regular security audits and penetration tests focusing on web application file upload functionalities and directory permissions. 8. Educate system administrators and developers on secure configuration practices to avoid exposing executable directories to the web unnecessarily.