Re: CVE-2013-5696: split needed

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/20/2013 02:27 AM, Raphael Geissert wrote:
> Hi,
>
> GLPI 0.84.2 fixes a few security issues [1], for which
> CVE-2013-5696 was assigned. However, from the bug tracker[2] it is
> clear that there are multiple issues:
>
> * SQL Injection * PHP Code Execution * CSRF (seems that it is the
> vector for the SQL injection)
>
> There there are references to the above CVE id and an id from HTB. 
> The latter's advisory [3] only refers to remote code execution.
>
> So, it looks like the CVE id was originally assigned to the CSRF 
> vulnerability, then reused for the SQL injections, and the code 
> execution vulns. were just added to the same bug report but it is 
> completely independent and not covered by the existing CVE id.
>
> CC'ing GLPI upstream so that they can, hopefully, shed some more 
> light. Is the 0.83 branch affected by the way?
>
> CC'ing one of HTB's email addresses, in case they've already
> requested an id directly from MITRE.
>
> (oh and it appears that there's now a warning requesting the 
> install.php script to be deleted after the installation. Does that 
> mean that there are bugs left to be exploited otherwise?)
>
> [1]http://www.glpi-project.org/spip.php?page=annonce&id_breve=308 
> [2]https://forge.indepnet.net/issues/4480 
> [3]https://www.htbridge.com/advisory/HTB23173
>
> Cheers,

I assume this was assigned by Mitre, probably best to have them do the
split.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSPIdjAAoJEBYNRVNeJnmTOo8QAJsImU6tt2fgeP2lhWonL0L6
WBtkTSRtcbieBM5dOPv9JrfrfMqOFu9G/pBLbdu51zYo9/hu/owU1Lw+FFFKrgbO
3zLwC/MHYYXaHtAxI9W8PyZtcx6F4q0sZT83DQjFPzmpPkNYegPuAYFtEYbszPJK
OCv+He9eEE1gLmOM+kbO8ixx51uLu7lTpQcD2Q1YpP3lE8GFkcoLmsPCChhaLnYk
17PdYtpIw/v97XIOVAnhlpu8HyMWxaVRAjrdkoLEdKNhnS2WiQMlgz6DEwKpgbE4
GnulZ4+0lm74LA3cY9RThCKJDandiH4HC+7FivP/633QJ23rs6w85+29wuWUE+gJ
XOS44OCmzbZSku9brbplHK/NgUGmxH8SsTSxDcgzKKFWCLt/2rwaKAb1M646O1yi
H5mAKazPKvKISarbHFNiUDUt/35OiTg5AxgVvDTDj7cnejAEfRSiScpSNWSBQ/n8
+JizR1ElyU4rAnyufxSn4yNAUHzcS2kpLmCPr1Biy3nW5+xCyXlcbpgo9Z1fmPJ2
VL08rHUtEC4vcpSjPvatRWaC+vgirky5xgN1/in1bY8tAURUkWLBRRvGuMQfaq7E
H+XLbpSJIUn3nEy8sOSNL/z3uwdnXnKYgCcw4Zwp7Cix5mYVxFgi6xBNE6E9m150
RbuLEH8U54XzNMpPOSZw
=Qv2g
-----END PGP SIGNATURE-----