Bug 1194196

Summary: glpi: privilege escalation via user creation with a crafted POST request
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: GLPI 0.85.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:38:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1194197, 1194198    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-02-19 10:19:35 UTC 
Versions Affected
===========
All versions <= 0.85.2

Description
=======

Taking the default account tech, he is only allowed to add users in the following groups: Self-Service, Technician. He has not the right over, for example, the super-admin group. So he cannot add the super-admin privileges to an existing user.


The problem is when creating a new user. When intercepting the POST request (GLPI_ROOT/front/user.form.php) of a user creation and modifying the _profiles_id parameter (corresponding to the group attached to the user) to 4, the new user will have the super-admin privileges.


Impact
=====

Any user who has the rights to create a new user can create a super-admin user.


Mitigation
======
Upgrade to GLPI 0.85.3 (https://forge.indepnet.net/issues/5218)
Comment 1 Vasyl Kaigorodov 2015-02-19 10:20:10 UTC 
Created glpi tracking bugs for this issue:

Affects: fedora-all [bug 1194197]
Affects: epel-all [bug 1194198]
Comment 2 Remi Collet 2015-02-27 09:47:03 UTC 
I think impact is not "important"

To exploit this, a GLPI user need to be connected and have the "high" privilege to update other user (so is already an administrator, perhaps not a "super" one).
Comment 3 Remi Collet 2015-03-24 10:14:26 UTC 
I think initial report is not correct

Version < 0.84 (such as 0.83 in EPEL-5/6) is not affected, the relevant feature (and code) doesn't exist.

Versions Affected
===========
All versions >= 0.84 and <= 0.85.2
Comment 4 Francisco Alonso 2015-03-24 13:34:13 UTC 
(In reply to Remi Collet from comment #3)
> I think initial report is not correct
> 
> Version < 0.84 (such as 0.83 in EPEL-5/6) is not affected, the relevant
> feature (and code) doesn't exist.
> 
> Versions Affected
> ===========
> All versions >= 0.84 and <= 0.85.2

Updated the affects, thanks Remi.
Comment 5 Fedora Update System 2015-03-31 21:56:47 UTC 
glpi-0.85.2-2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-04-05 14:30:15 UTC 
glpi-0.84.8-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-04-05 14:34:26 UTC 
glpi-0.84.8-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-04-10 19:14:40 UTC 
glpi-0.84.8-4.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Product Security DevOps Team 2019-06-08 02:38:55 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.