Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 30 Jun 2013 17:24:38 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Mehrenberger, Xavier" <Xavier.Mehrenberger@...sidian.com>
Subject: Re: CVE request for GLPI

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/27/2013 01:41 AM, Mehrenberger, Xavier wrote:
> Hello,
> 
> I'd like to request a CVE identifier for a vulnerability in GLPI. 
> The unserialize() function was used in several places throughout
> the codebase; one CVE identifier should (IMHO) be sufficient.
> 
> It has been publicly fixed in the project's repository.
> 
> Thanks
> 
> ======================================= Advisory title: unserialize
> vulnerability in GLPI 0.83.9 Product: GLPI 0.83.9 Discovered by:
> Xavier Mehrenberger @Cassidian CyberSecurity Vulnerable version:
> 0.83.9 Tested: v0.83.9, 2013-06-21 Fixed in repository: 2013-06-23
> commits 21169 to 21180 Category: Potential PHP code execution 
> Vulnerability type: [CWE-502] Deserialization of Untrusted Data CVE
> IDs: none yet By: Xavier Mehrenberger Cassidian CyberSecurity 
> http://www.cassidiancybersecurity.com 
> =======================================
> 
> ----- CVE-2013-XXXX Required configuration: No specific
> configuration required Steps to reproduce: * Issue a request to 
> glpi/front/ticket.form.php?id=1&_predefined_fields=XXXX, *
> replacing XXX with a serialized PHP object
> 
> Vulnerable code sample: --- file ticket.class.php, function
> showFormHelpdesk if (isset($options['_predefined_fields'])) { 
> $options['_predefined_fields'] = 
> unserialize(rawurldecode(stripslashes($options['_predefined_fields'])));
>
> 
- ---
> 
> When passing a non-existent empty serialized class (ex: class
> called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an
> error occurs, which is caught by the userErrorHandlerNormal
> function in toolbox.class.php.
> 
> When a PHP object gets unserialized, its __wakeup() function is 
> executed. When this object gets destroyed, its __destruct()
> function is executed (since PHP5). No such object exists throughout
> the GLPI codebase. However, it might exist in a third-party
> library, as demonstrated by Stefan Esser [2]. More information
> about this vulnerability class can be found at [1].
> 
> The unsafe use of unserialize() has been fixed throughout the
> codebase in commits 21169 [3] to 21180.
> 
> References: [1]
> https://www.owasp.org/index.php/PHP_Object_Injection [2] 
> http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.p
>
> 
df part II
> [3] 
> https://forge.indepnet.net/projects/glpi/repository/revisions/21169/diff
>
> 
/branches/0.83-bugfixes/inc/ticket.class.php

Please use CVE-2013-2225 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR0L42AAoJEBYNRVNeJnmTDbEP/3BV/MWD0NNISceAgS7So1Za
IhHUlZ2lF5po8iorsVH77ppIUL7TBRuTqogN1K3IOZCGAMMPuKgIydtj21+regiW
gyc1PaePkMMBVVTUesFmHLn19pLyjo6bXKribWwJIz3bnSnZzUj5gjxzbXzUvLRG
m7NHcnpywIcefHOGTWn6ysBQZFssAKLGOamBwMQCoKxXG/ecjs5U9mDMT2CaW5D3
VI23yY+l8WeEokOgV+JXzmFaEns3XeImkjw/L2DKoljOTppIdisxV9OvhFTUlHlQ
dz+WPzezBg4cS5DmlS2kpZ5f6IxclVa49On+1HeQpl7IrA/JWO8RjXZiWblDgfOK
kasIuvU4lCCcZ6iBg6ZBypNF2NxDFB+hOo4F4V4CyRK6eiFCAAjIN49hlu75GmM5
524DMXYgiQ9x6hcjs42yNbevUvJ+6wDkhf3jBQEKytlmeW9sazHY/7b2g6uSB0RB
nIkG/WWW3X0O8cos1ouaB2RpYnN/oWEEuiD0u7+JMRmIeVov67xvSkXmgJJojo02
RE6E7Nl3LM0SO+Ji4I0g90HUPJkSiGJvvMLVtZ2v9gdVaKvNFUjyzdQ22xOEZDQQ
WdcUF+jqhqTGgF32vluWAS+b0Hd0AbWfxlgtxCr0u175knSEuSNBksmKXJymIUG9
TTDmdcfqLkSS9mxBvkvN
=JKWx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.