GLPi 0.90.2 - SQL Injection

ID 1337DAY-ID-25023
Type zdt
Reporter High-Tech Bridge
Modified 2016-04-29T00:00:00


Exploit for php platform in category web applications

                                            Product: GLPI
Vulnerable Version(s): 0.90.2 and probably prior
Tested Version: 0.90.2
Advisory Publication: April 8, 2016 [without technical details]
Vendor Notification: April 8, 2016 
Vendor Patch: April 11, 2016 
Public Disclosure: April 29, 2016 
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: High 
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( )
Advisory Details:
High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for management and audit of software packages, providing ITIL-compliant service desk. The vulnerability allows remote non-authenticated attacker to execute arbitrary SQL queries, read and write data to the application's database and completely compromise the vulnerable system.
The vulnerability exists due to insufficient filtration of user-supplied data passed via the "page_limit" HTTP GET parameter to "/ajax/getDropdownConnect.php" PHP script. A remote unauthenticated attacker can alter present SQL query, inject and execute arbitrary SQL command in application's database.
Below is a simple SQL Injection exploit, which uses time-based exploitation technique. The page will load time will be significantly higher if MySQL version is 5.X or superior:
Update to GLPI 0.90.3
More Information:
[1] High-Tech Bridge Advisory HTB23301 - - SQL Injection in GLPI.
[2] GLPI - - GLPI is the Information Resource Manager with an additional Administration Interface.
[3] Common Weakness Enumeration (CWE) - - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.

# [2018-01-08]  #