oss-sec mailing list archives
Re: CVE-2013-5696: split needed
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 20 Sep 2013 11:35:31 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/20/2013 02:27 AM, Raphael Geissert wrote:
Hi, GLPI 0.84.2 fixes a few security issues [1], for which CVE-2013-5696 was assigned. However, from the bug tracker[2] it is clear that there are multiple issues: * SQL Injection * PHP Code Execution * CSRF (seems that it is the vector for the SQL injection) There there are references to the above CVE id and an id from HTB. The latter's advisory [3] only refers to remote code execution. So, it looks like the CVE id was originally assigned to the CSRF vulnerability, then reused for the SQL injections, and the code execution vulns. were just added to the same bug report but it is completely independent and not covered by the existing CVE id. CC'ing GLPI upstream so that they can, hopefully, shed some more light. Is the 0.83 branch affected by the way? CC'ing one of HTB's email addresses, in case they've already requested an id directly from MITRE. (oh and it appears that there's now a warning requesting the install.php script to be deleted after the installation. Does that mean that there are bugs left to be exploited otherwise?) [1]http://www.glpi-project.org/spip.php?page=annonce&id_breve=308 [2]https://forge.indepnet.net/issues/4480 [3]https://www.htbridge.com/advisory/HTB23173 Cheers,
I assume this was assigned by Mitre, probably best to have them do the split. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSPIdjAAoJEBYNRVNeJnmTOo8QAJsImU6tt2fgeP2lhWonL0L6 WBtkTSRtcbieBM5dOPv9JrfrfMqOFu9G/pBLbdu51zYo9/hu/owU1Lw+FFFKrgbO 3zLwC/MHYYXaHtAxI9W8PyZtcx6F4q0sZT83DQjFPzmpPkNYegPuAYFtEYbszPJK OCv+He9eEE1gLmOM+kbO8ixx51uLu7lTpQcD2Q1YpP3lE8GFkcoLmsPCChhaLnYk 17PdYtpIw/v97XIOVAnhlpu8HyMWxaVRAjrdkoLEdKNhnS2WiQMlgz6DEwKpgbE4 GnulZ4+0lm74LA3cY9RThCKJDandiH4HC+7FivP/633QJ23rs6w85+29wuWUE+gJ XOS44OCmzbZSku9brbplHK/NgUGmxH8SsTSxDcgzKKFWCLt/2rwaKAb1M646O1yi H5mAKazPKvKISarbHFNiUDUt/35OiTg5AxgVvDTDj7cnejAEfRSiScpSNWSBQ/n8 +JizR1ElyU4rAnyufxSn4yNAUHzcS2kpLmCPr1Biy3nW5+xCyXlcbpgo9Z1fmPJ2 VL08rHUtEC4vcpSjPvatRWaC+vgirky5xgN1/in1bY8tAURUkWLBRRvGuMQfaq7E H+XLbpSJIUn3nEy8sOSNL/z3uwdnXnKYgCcw4Zwp7Cix5mYVxFgi6xBNE6E9m150 RbuLEH8U54XzNMpPOSZw =Qv2g -----END PGP SIGNATURE-----
Current thread:
- CVE-2013-5696: split needed Raphael Geissert (Sep 20)
- Re: CVE-2013-5696: split needed Kurt Seifried (Sep 20)
- Re: CVE-2013-5696: split needed cve-assign (Sep 23)
- Re: CVE-2013-5696: split needed Kurt Seifried (Sep 20)