Vulners
Lucene search
GLPI 0.80.61 Local File Inclusion / Remote File Inclusion
🗓️ 11 Feb 2012 00:00:00Reported by Emilien GiraultType 
packetstorm🔗 packetstormsecurity.com👁 35 Views
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | CVE-2012-1037 | 12 Jul 201220:00 | – | cve |
 | CVE-2012-1037 | 12 Jul 201220:00 | – | cvelist |
 | EUVD-2012-1075 | 7 Oct 202500:30 | – | euvd |
 | [SECURITY] Fedora 15 Update: glpi-0.78.5-3.svn17464.fc15 | 19 Feb 201201:56 | – | fedora |
| [SECURITY] Fedora 16 Update: glpi-0.80.7-1.fc16 | 19 Feb 201201:57 | – | fedora |
 | Fedora 16 : glpi-0.80.7-1.fc16 (2012-1519) | 20 Feb 201200:00 | – | nessus |
| Fedora 15 : glpi-0.78.5-3.svn17464.fc15 (2012-1534) | 20 Feb 201200:00 | – | nessus |
 | CVE-2012-1037 | 12 Jul 201220:55 | – | nvd |
 | Mandriva Update for glpi MDVSA-2012:016 (glpi) | 13 Feb 201200:00 | – | openvas |
| Fedora Update for glpi FEDORA-2012-1534 | 21 Feb 201200:00 | – | openvas |
10
`CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI
Severity: Important
Vendor: GLPI - http://www.glpi-project.org
Versions Affected
=================
All versions between 0.78 and 0.80.61
Description
===========
GLPI fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file:
[...]
checkLoginUser();
if (isset($_GET["popup"])) {
$_SESSION["glpipopup"]["name"] = $_GET["popup"];
}
if (isset($_SESSION["glpipopup"]["name"])) {
switch ($_SESSION["glpipopup"]["name"]) {
[...]
case "add_ruleparameter" :
popHeader($LANG['ldap'][35], $_SERVER['PHP_SELF']);
include strtolower($_GET['sub_type']."Parameter.php"); // <=======
break;
[...]
To be triggered, the attacker needs to be authenticated. However, GLPI provides default accounts that often aren't changed or disabled:
glpi/glpi
tech/tech
normal/normal
post-only/postonly
Impact
======
Since there is a suffix, the vulnerability can be used as a RFI (requires allow_url_include = On).
For LFI, the target file has to end up with "parameter.php". GLPI automatically escapes all GET and POST parameters with addslashes(), so the null byte technique is not usable. I have not tested exploitation using path truncation technique but it might be possible.
Mitigation
==========
Upgrade to GLPI 0.80.7.
Exploit
=======
http://<server>/front/popup.php?popup=add_ruleparameter&sub_type=<file>
Timeline
========
08 feb 2012 - Found the bug.
09 feb 2012 - Contacted the GLPI Team.
09 feb 2012 - Bug fixed & new version available.
Thanks to the GLPI team for being responsive!
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037
https://forge.indepnet.net/projects/glpi/versions/685
https://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php
--
Emilien Girault
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Feb 2012 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.01313