|
Message-ID: <523C8763.5020309@redhat.com> Date: Fri, 20 Sep 2013 11:35:31 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Raphael Geissert <geissert@...ian.org>, jmd@...epnet.net, moyo@...epnet.net, info@...ridge.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: CVE-2013-5696: split needed -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/20/2013 02:27 AM, Raphael Geissert wrote: > Hi, > > GLPI 0.84.2 fixes a few security issues [1], for which > CVE-2013-5696 was assigned. However, from the bug tracker[2] it is > clear that there are multiple issues: > > * SQL Injection * PHP Code Execution * CSRF (seems that it is the > vector for the SQL injection) > > There there are references to the above CVE id and an id from HTB. > The latter's advisory [3] only refers to remote code execution. > > So, it looks like the CVE id was originally assigned to the CSRF > vulnerability, then reused for the SQL injections, and the code > execution vulns. were just added to the same bug report but it is > completely independent and not covered by the existing CVE id. > > CC'ing GLPI upstream so that they can, hopefully, shed some more > light. Is the 0.83 branch affected by the way? > > CC'ing one of HTB's email addresses, in case they've already > requested an id directly from MITRE. > > (oh and it appears that there's now a warning requesting the > install.php script to be deleted after the installation. Does that > mean that there are bugs left to be exploited otherwise?) > > [1]http://www.glpi-project.org/spip.php?page=annonce&id_breve=308 > [2]https://forge.indepnet.net/issues/4480 > [3]https://www.htbridge.com/advisory/HTB23173 > > Cheers, I assume this was assigned by Mitre, probably best to have them do the split. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSPIdjAAoJEBYNRVNeJnmTOo8QAJsImU6tt2fgeP2lhWonL0L6 WBtkTSRtcbieBM5dOPv9JrfrfMqOFu9G/pBLbdu51zYo9/hu/owU1Lw+FFFKrgbO 3zLwC/MHYYXaHtAxI9W8PyZtcx6F4q0sZT83DQjFPzmpPkNYegPuAYFtEYbszPJK OCv+He9eEE1gLmOM+kbO8ixx51uLu7lTpQcD2Q1YpP3lE8GFkcoLmsPCChhaLnYk 17PdYtpIw/v97XIOVAnhlpu8HyMWxaVRAjrdkoLEdKNhnS2WiQMlgz6DEwKpgbE4 GnulZ4+0lm74LA3cY9RThCKJDandiH4HC+7FivP/633QJ23rs6w85+29wuWUE+gJ XOS44OCmzbZSku9brbplHK/NgUGmxH8SsTSxDcgzKKFWCLt/2rwaKAb1M646O1yi H5mAKazPKvKISarbHFNiUDUt/35OiTg5AxgVvDTDj7cnejAEfRSiScpSNWSBQ/n8 +JizR1ElyU4rAnyufxSn4yNAUHzcS2kpLmCPr1Biy3nW5+xCyXlcbpgo9Z1fmPJ2 VL08rHUtEC4vcpSjPvatRWaC+vgirky5xgN1/in1bY8tAURUkWLBRRvGuMQfaq7E H+XLbpSJIUn3nEy8sOSNL/z3uwdnXnKYgCcw4Zwp7Cix5mYVxFgi6xBNE6E9m150 RbuLEH8U54XzNMpPOSZw =Qv2g -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.