lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <54E38103.1030705@lexsi.com>
Date: Tue, 17 Feb 2015 18:57:23 +0100
From: Stiehl <pstiehl@...si.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] [CVE-REQUEST] Multiple vulnerabilities on GLPI

Multiple vulnerabilities have been identified in GLPI 
(http://www.glpi-project.org).

1/ Arbitrary file upload
Severity: Important

Versions Affected
===========
All versions between 0.85 and 0.85.2

Description
=======
When an user wants to create a new ticket, he has the possibility to add 
an attachment. If for example he wants to add a file named "test.php" 
with or without adding the ticket, the file will be temporary uploaded 
to GLPI_ROOT/files/_tmp/test.php. We can then directly access this file 
through http://host/GLPI_ROOT/files/_tmp/test.php and by default the php 
code will be interpreted.

To trigger this vulnerability we need an account that disposes of the 
rights to create a ticket.

This vulnerability is a combination of three issues:
- predictable uploaded file names (not randomized)
- upload of unauthorized file extensions
- temporary uploaded files not deleted if using an unauthorized file 
extension.

Impact
=====
By uploading a php file that will be interpreted a malicious user would 
be able to execute arbitrary code on the server.

Mitigation
======
Upgrade to GLPI 0.85.3 (https://forge.indepnet.net/issues/5217)


==========


2/ Privilege escalation
Severity: Important

Versions Affected
===========
All versions <= 0.85.2

Description
=======
Taking the default account tech, he is only allowed to add users in the 
following groups: Self-Service, Technician. He has not the right over, 
for example, the super-admin group. So he cannot add the super-admin 
privileges to an  existing user.

The problem is when creating a new user. When intercepting the POST 
request (GLPI_ROOT/front/user.form.php) of a user creation and modifying 
the _profiles_id parameter (corresponding to the group attached to the 
user) to 4, the new user will have the super-admin privileges.

Impact
=====
Any user who has the rights to create a new user can create a 
super-admin user.

Mitigation
======
Upgrade to GLPI 0.85.3 (https://forge.indepnet.net/issues/5218)

Regards,
--
Peter STIEHL

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ