oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- GLPI -- Properly blacklist some sensitive fields

From: Josh Bressers <bressers () redhat com>
Date: Tue, 26 Jul 2011 15:57:34 -0400 (EDT)
Plese use CVE-2011-2720.

Thanks.

-- 
    JB

----- Original Message -----

Hello Josh, Steve, vendors,

it was found that GLPI, the Information Resource-Manager with an
additional Administration-Interface, did not properly blacklist
certain
sensitive variables (like GLPI username and password). A remote
attacker
could use this flaw to obtain access to plaintext form of these values
via specially-crafted HTTP POST request.

References:
[1]
http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en
[2] https://forge.indepnet.net/projects/glpi/versions/605
[3] https://forge.indepnet.net/issues/3017

Relevant patches:
[4]
https://forge.indepnet.net/projects/glpi/repository/revisions/14951
[5]
https://forge.indepnet.net/projects/glpi/repository/revisions/14952
[6]
https://forge.indepnet.net/projects/glpi/repository/revisions/14954
[7]
https://forge.indepnet.net/projects/glpi/repository/revisions/14955
[8]
https://forge.indepnet.net/projects/glpi/repository/revisions/14956
[9]
https://forge.indepnet.net/projects/glpi/repository/revisions/14957
[10]
https://forge.indepnet.net/projects/glpi/repository/revisions/14958
[11]
https://forge.indepnet.net/projects/glpi/repository/revisions/14960
[12]
https://forge.indepnet.net/projects/glpi/repository/revisions/14966

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: