GLPI 0.80.61 Local File Inclusion / Remote File Inclusion

`CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI  
  
Severity: Important  
  
Vendor: GLPI - http://www.glpi-project.org  
  
Versions Affected  
=================  
  
All versions between 0.78 and 0.80.61  
  
Description  
===========  
  
GLPI fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file:  
  
[...]  
checkLoginUser();  
  
if (isset($_GET["popup"])) {  
$_SESSION["glpipopup"]["name"] = $_GET["popup"];  
}  
  
if (isset($_SESSION["glpipopup"]["name"])) {  
switch ($_SESSION["glpipopup"]["name"]) {  
[...]  
case "add_ruleparameter" :  
popHeader($LANG['ldap'][35], $_SERVER['PHP_SELF']);  
include strtolower($_GET['sub_type']."Parameter.php"); // <=======   
break;  
[...]  
  
To be triggered, the attacker needs to be authenticated. However, GLPI provides default accounts that often aren't changed or disabled:  
  
glpi/glpi  
tech/tech  
normal/normal  
post-only/postonly  
  
Impact  
======  
  
Since there is a suffix, the vulnerability can be used as a RFI (requires allow_url_include = On).  
  
For LFI, the target file has to end up with "parameter.php". GLPI automatically escapes all GET and POST parameters with addslashes(), so the null byte technique is not usable. I have not tested exploitation using path truncation technique but it might be possible.  
  
  
Mitigation  
==========  
  
Upgrade to GLPI 0.80.7.  
  
  
Exploit  
=======  
  
http://<server>/front/popup.php?popup=add_ruleparameter&sub_type=<file>  
  
  
Timeline  
========  
  
08 feb 2012 - Found the bug.  
09 feb 2012 - Contacted the GLPI Team.  
09 feb 2012 - Bug fixed & new version available.  
  
Thanks to the GLPI team for being responsive!  
  
References  
==========  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037  
https://forge.indepnet.net/projects/glpi/versions/685  
https://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php  
  
  
--   
Emilien Girault  
`