Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Feb 2012 16:42:09 +0100
From: Emilien Girault <egirault@...c.fr.sogeti.com>
To: oss-security@...ts.openwall.com
Subject: [vs] CVE-2012-1037 GLPI <= 0.80.61 LFI/RFI

Hi,

I found a File Inclusion vulnerability in GLPI <= 0.80.61. I contacted the project team; 
the bug is now patched and a new version is available (0.80.7).

I've published the advisory on fulldisclosure:

http://seclists.org/fulldisclosure/2012/Feb/157 <http://seclists.org/fulldisclosure/2012/Feb/157>

CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI

Severity: Important

Vendor: GLPI - http://www.glpi-project.org

Versions Affected
=================

All versions between 0.78 and 0.80.61

Description
===========

GLPI fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file:

  [...]
  checkLoginUser();

  if (isset($_GET["popup"])) {
     $_SESSION["glpipopup"]["name"] = $_GET["popup"];
  }
 
  if (isset($_SESSION["glpipopup"]["name"])) {
    switch ($_SESSION["glpipopup"]["name"]) {
  [...]
    case "add_ruleparameter" :
           popHeader($LANG['ldap'][35], $_SERVER['PHP_SELF']);
           include strtolower($_GET['sub_type']."Parameter.php");   // <======= 
           break;
  [...]
  
To be triggered, the attacker needs to be authenticated. However, GLPI provides default accounts that often aren't 
changed or disabled:

    glpi/glpi
    tech/tech
    normal/normal
    post-only/postonly

Impact
======

Since there is a suffix, the vulnerability can be used as a RFI (requires allow_url_include = On).

For LFI, the target file has to end up with "parameter.php". GLPI automatically escapes all GET and POST parameters 
with addslashes(), so the null byte technique is not usable. I have not tested exploitation using the path truncation 
technique but it might be possible.


Mitigation
==========

Upgrade to GLPI 0.80.7.


Exploit
=======

http://<server>/front/popup.php?popup=add_ruleparameter&sub_type=<file>


Timeline
========

08 feb 2012 - Found the bug.
09 feb 2012 - Contacted the GLPI Team.
09 feb 2012 - Bug fixed & new version available.

Thanks to the GLPI team for being responsive!

References
==========

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037
https://forge.indepnet.net/projects/glpi/versions/685
https://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php

I think you can package the new version into security updates.
Please let me know if you need any more details.

Best regards,

-- 
Emilien Girault


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.