From full disclosure Emilien Girault reports: http://permalink.gmane.org/gmane.comp.security.full-disclosure/84497 CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI Severity: Important Vendor: GLPI - http://www.glpi-project.org Versions Affected ================= All versions between 0.78 and 0.80.61 Description =========== GLPI fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file: [...] checkLoginUser(); if (isset($_GET["popup"])) { $_SESSION["glpipopup"]["name"] = $_GET["popup"]; } if (isset($_SESSION["glpipopup"]["name"])) { switch ($_SESSION["glpipopup"]["name"]) { [...] case "add_ruleparameter" : popHeader($LANG['ldap'][35], $_SERVER['PHP_SELF']); include strtolower($_GET['sub_type']."Parameter.php"); // <======= break; [...] To be triggered, the attacker needs to be authenticated. However, GLPI provides default accounts that often aren't changed or disabled: glpi/glpi tech/tech normal/normal post-only/postonly Impact ====== Since there is a suffix, the vulnerability can be used as a RFI (requires allow_url_include = On). For LFI, the target file has to end up with "parameter.php". GLPI automatically escapes all GET and POST parameters with addslashes(), so the null byte technique is not usable. I have not tested exploitation using path truncation technique but it might be possible. Mitigation ========== Upgrade to GLPI 0.80.7. Exploit ======= http://<server>/front/popup.php?popup=add_ruleparameter&sub_type=<file> Timeline ======== 08 feb 2012 - Found the bug. 09 feb 2012 - Contacted the GLPI Team. 09 feb 2012 - Bug fixed & new version available. Thanks to the GLPI team for being responsive! References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037 https://forge.indepnet.net/projects/glpi/versions/685 https://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php
Created glpi tracking bugs for this issue Affects: fedora-all [bug 789649]
glpi-0.80.7 and glpi-0.78.5 + svn patch are already in the updates.
glpi-0.78.5-3.svn17464.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
glpi-0.80.7-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
glpi-0.80.7-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
glpi-0.78.5-4.svn17464.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been corrected in the following products: 1) via glpi-0.78.5-4.svn17464.el5 for Fedora EPEL 5, 2) via glpi-0.80.7-1.el6 for Fedora EPEL 6, 3) via glpi-0.80.7-1.fc16 for Fedora 16, 4) via glpi-0.80.7-1.fc17 (superseded by glpi-0.83.1-1.fc17) for Fedora 17. Closing this bug.