oss-sec mailing list archives
CVE-2013-5696: split needed
From: Raphael Geissert <geissert () debian org>
Date: Fri, 20 Sep 2013 10:27:02 +0200
Hi, GLPI 0.84.2 fixes a few security issues [1], for which CVE-2013-5696 was assigned. However, from the bug tracker[2] it is clear that there are multiple issues: * SQL Injection * PHP Code Execution * CSRF (seems that it is the vector for the SQL injection) There there are references to the above CVE id and an id from HTB. The latter's advisory [3] only refers to remote code execution. So, it looks like the CVE id was originally assigned to the CSRF vulnerability, then reused for the SQL injections, and the code execution vulns. were just added to the same bug report but it is completely independent and not covered by the existing CVE id. CC'ing GLPI upstream so that they can, hopefully, shed some more light. Is the 0.83 branch affected by the way? CC'ing one of HTB's email addresses, in case they've already requested an id directly from MITRE. (oh and it appears that there's now a warning requesting the install.php script to be deleted after the installation. Does that mean that there are bugs left to be exploited otherwise?) [1]http://www.glpi-project.org/spip.php?page=annonce&id_breve=308 [2]https://forge.indepnet.net/issues/4480 [3]https://www.htbridge.com/advisory/HTB23173 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE-2013-5696: split needed Raphael Geissert (Sep 20)
- Re: CVE-2013-5696: split needed Kurt Seifried (Sep 20)
- Re: CVE-2013-5696: split needed cve-assign (Sep 23)
- Re: CVE-2013-5696: split needed Kurt Seifried (Sep 20)