oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request -- GLPI -- Properly blacklist some sensitive fields

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 25 Jul 2011 14:52:42 +0200
Hello Josh, Steve, vendors,
it was found that GLPI, the Information Resource-Manager with an additional Administration-Interface, did not properly blacklist certain sensitive variables (like GLPI username and password). A remote attacker could use this flaw to obtain access to plaintext form of these values via specially-crafted HTTP POST request. 

References:
[1] http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en
[2] https://forge.indepnet.net/projects/glpi/versions/605
[3] https://forge.indepnet.net/issues/3017

Relevant patches:
[4]  https://forge.indepnet.net/projects/glpi/repository/revisions/14951
[5]  https://forge.indepnet.net/projects/glpi/repository/revisions/14952
[6]  https://forge.indepnet.net/projects/glpi/repository/revisions/14954
[7]  https://forge.indepnet.net/projects/glpi/repository/revisions/14955
[8]  https://forge.indepnet.net/projects/glpi/repository/revisions/14956
[9]  https://forge.indepnet.net/projects/glpi/repository/revisions/14957
[10] https://forge.indepnet.net/projects/glpi/repository/revisions/14958
[11] https://forge.indepnet.net/projects/glpi/repository/revisions/14960
[12] https://forge.indepnet.net/projects/glpi/repository/revisions/14966

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: