|
Message-ID: <CAA7hUgECRnc3dd2oM9CFnsi8RDt11suZkKK=ULki6SArRrnDQA@mail.gmail.com> Date: Fri, 20 Sep 2013 10:27:02 +0200 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Cc: jmd@...epnet.net, moyo@...epnet.net, info@...ridge.com Subject: CVE-2013-5696: split needed Hi, GLPI 0.84.2 fixes a few security issues [1], for which CVE-2013-5696 was assigned. However, from the bug tracker[2] it is clear that there are multiple issues: * SQL Injection * PHP Code Execution * CSRF (seems that it is the vector for the SQL injection) There there are references to the above CVE id and an id from HTB. The latter's advisory [3] only refers to remote code execution. So, it looks like the CVE id was originally assigned to the CSRF vulnerability, then reused for the SQL injections, and the code execution vulns. were just added to the same bug report but it is completely independent and not covered by the existing CVE id. CC'ing GLPI upstream so that they can, hopefully, shed some more light. Is the 0.83 branch affected by the way? CC'ing one of HTB's email addresses, in case they've already requested an id directly from MITRE. (oh and it appears that there's now a warning requesting the install.php script to be deleted after the installation. Does that mean that there are bugs left to be exploited otherwise?) [1]http://www.glpi-project.org/spip.php?page=annonce&id_breve=308 [2]https://forge.indepnet.net/issues/4480 [3]https://www.htbridge.com/advisory/HTB23173 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.