oss-sec mailing list archives
CVE request for GLPI
From: "Mehrenberger, Xavier" <Xavier.Mehrenberger () cassidian com>
Date: Thu, 27 Jun 2013 09:41:37 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I'd like to request a CVE identifier for a vulnerability in GLPI. The unserialize() function was used in several places throughout the codebase; one CVE identifier should (IMHO) be sufficient. It has been publicly fixed in the project's repository. Thanks ======================================= Advisory title: unserialize vulnerability in GLPI 0.83.9 Product: GLPI 0.83.9 Discovered by: Xavier Mehrenberger @Cassidian CyberSecurity Vulnerable version: 0.83.9 Tested: v0.83.9, 2013-06-21 Fixed in repository: 2013-06-23 commits 21169 to 21180 Category: Potential PHP code execution Vulnerability type: [CWE-502] Deserialization of Untrusted Data CVE IDs: none yet By: Xavier Mehrenberger Cassidian CyberSecurity http://www.cassidiancybersecurity.com ======================================= - ----- CVE-2013-XXXX Required configuration: No specific configuration required Steps to reproduce: * Issue a request to glpi/front/ticket.form.php?id=1&_predefined_fields=XXXX, * replacing XXX with a serialized PHP object Vulnerable code sample: - --- file ticket.class.php, function showFormHelpdesk if (isset($options['_predefined_fields'])) { $options['_predefined_fields'] = unserialize(rawurldecode(stripslashes($options['_predefined_fields']))); - --- When passing a non-existent empty serialized class (ex: class called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an error occurs, which is caught by the userErrorHandlerNormal function in toolbox.class.php. When a PHP object gets unserialized, its __wakeup() function is executed. When this object gets destroyed, its __destruct() function is executed (since PHP5). No such object exists throughout the GLPI codebase. However, it might exist in a third-party library, as demonstrated by Stefan Esser [2]. More information about this vulnerability class can be found at [1]. The unsafe use of unserialize() has been fixed throughout the codebase in commits 21169 [3] to 21180. References: [1] https://www.owasp.org/index.php/PHP_Object_Injection [2] http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.p df part II [3] https://forge.indepnet.net/projects/glpi/repository/revisions/21169/diff /branches/0.83-bugfixes/inc/ticket.class.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBAgAGBQJRy+uWAAoJED6sl31qxFSwJIAH/1ocTdzZV5ZrakoMMueBzUM3 Kh5cme5ieMKaMQ4UM4RG4JoPdV8SmEAlzdG0QfmOr03AaY9Z6THqFUReydso1qCJ 7s/5Vb48D0E4aJNircswz1AE3I/uYTDCVHqFSdgVQ4qEjmqQr1gPjBDEkHzZ9dNP LH43kc4BrWctQzKJAowvMqwa5utPWjuTxNHp9xVWNHI4lQVMJTHs1LHhr28Wsfy/ rqTblJYwOBZ8HqZsZIZhWeVc1TvSWkv2COFThH5RQ2iru/6EZe8C8NmqMyqFqA0A SVonXNsEsKhYuEUUqMGEf9ljeVwcsmPPSCrcAYxzoAeTOAgKgvSaWYpHEFzBOO8= =12Pi -----END PGP SIGNATURE-----
Current thread:
- CVE request for GLPI Mehrenberger, Xavier (Jun 27)
- Re: CVE request for GLPI Kurt Seifried (Jun 30)