Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAA7hUgECRnc3dd2oM9CFnsi8RDt11suZkKK=ULki6SArRrnDQA@mail.gmail.com>
Date: Fri, 20 Sep 2013 10:27:02 +0200
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Cc: jmd@...epnet.net, moyo@...epnet.net, info@...ridge.com
Subject: CVE-2013-5696: split needed

Hi,

GLPI 0.84.2 fixes a few security issues [1], for which CVE-2013-5696
was assigned.
However, from the bug tracker[2] it is clear that there are multiple issues:

* SQL Injection
* PHP Code Execution
* CSRF (seems that it is the vector for the SQL injection)

There there are references to the above CVE id and an id from HTB.
The latter's advisory [3] only refers to remote code execution.

So, it looks like the CVE id was originally assigned to the CSRF
vulnerability, then reused for the SQL injections, and the code
execution vulns. were just added to the same bug report but it is
completely independent and not covered by the existing CVE id.

CC'ing GLPI upstream so that they can, hopefully, shed some more
light. Is the 0.83 branch affected by the way?

CC'ing one of HTB's email addresses, in case they've already requested
an id directly from MITRE.

(oh and it appears that there's now a warning requesting the
install.php script to be deleted after the installation. Does that
mean that there are bugs left to be exploited otherwise?)

[1]http://www.glpi-project.org/spip.php?page=annonce&id_breve=308
[2]https://forge.indepnet.net/issues/4480
[3]https://www.htbridge.com/advisory/HTB23173

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.