Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAA7hUgECRnc3dd2oM9CFnsi8RDt11suZkKK=ULki6SArRrnDQA@mail.gmail.com>
Date: Fri, 20 Sep 2013 10:27:02 +0200
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Cc: jmd@...epnet.net, moyo@...epnet.net, info@...ridge.com
Subject: CVE-2013-5696: split needed

Hi,

GLPI 0.84.2 fixes a few security issues [1], for which CVE-2013-5696
was assigned.
However, from the bug tracker[2] it is clear that there are multiple issues:

* SQL Injection
* PHP Code Execution
* CSRF (seems that it is the vector for the SQL injection)

There there are references to the above CVE id and an id from HTB.
The latter's advisory [3] only refers to remote code execution.

So, it looks like the CVE id was originally assigned to the CSRF
vulnerability, then reused for the SQL injections, and the code
execution vulns. were just added to the same bug report but it is
completely independent and not covered by the existing CVE id.

CC'ing GLPI upstream so that they can, hopefully, shed some more
light. Is the 0.83 branch affected by the way?

CC'ing one of HTB's email addresses, in case they've already requested
an id directly from MITRE.

(oh and it appears that there's now a warning requesting the
install.php script to be deleted after the installation. Does that
mean that there are bugs left to be exploited otherwise?)

[1]http://www.glpi-project.org/spip.php?page=annonce&id_breve=308
[2]https://forge.indepnet.net/issues/4480
[3]https://www.htbridge.com/advisory/HTB23173

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.