Date: Mon, 25 Jul 2011 14:52:42 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com Subject: CVE Request -- GLPI -- Properly blacklist some sensitive fields Hello Josh, Steve, vendors, it was found that GLPI, the Information Resource-Manager with an additional Administration-Interface, did not properly blacklist certain sensitive variables (like GLPI username and password). A remote attacker could use this flaw to obtain access to plaintext form of these values via specially-crafted HTTP POST request. References:  http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en  https://forge.indepnet.net/projects/glpi/versions/605  https://forge.indepnet.net/issues/3017 Relevant patches:  https://forge.indepnet.net/projects/glpi/repository/revisions/14951  https://forge.indepnet.net/projects/glpi/repository/revisions/14952  https://forge.indepnet.net/projects/glpi/repository/revisions/14954  https://forge.indepnet.net/projects/glpi/repository/revisions/14955  https://forge.indepnet.net/projects/glpi/repository/revisions/14956  https://forge.indepnet.net/projects/glpi/repository/revisions/14957  https://forge.indepnet.net/projects/glpi/repository/revisions/14958  https://forge.indepnet.net/projects/glpi/repository/revisions/14960  https://forge.indepnet.net/projects/glpi/repository/revisions/14966 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.