oss-sec mailing list archives
CVE Request -- GLPI -- Properly blacklist some sensitive fields
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 25 Jul 2011 14:52:42 +0200
Hello Josh, Steve, vendors,it was found that GLPI, the Information Resource-Manager with an additional Administration-Interface, did not properly blacklist certain sensitive variables (like GLPI username and password). A remote attacker could use this flaw to obtain access to plaintext form of these values via specially-crafted HTTP POST request.
References: [1] http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en [2] https://forge.indepnet.net/projects/glpi/versions/605 [3] https://forge.indepnet.net/issues/3017 Relevant patches: [4] https://forge.indepnet.net/projects/glpi/repository/revisions/14951 [5] https://forge.indepnet.net/projects/glpi/repository/revisions/14952 [6] https://forge.indepnet.net/projects/glpi/repository/revisions/14954 [7] https://forge.indepnet.net/projects/glpi/repository/revisions/14955 [8] https://forge.indepnet.net/projects/glpi/repository/revisions/14956 [9] https://forge.indepnet.net/projects/glpi/repository/revisions/14957 [10] https://forge.indepnet.net/projects/glpi/repository/revisions/14958 [11] https://forge.indepnet.net/projects/glpi/repository/revisions/14960 [12] https://forge.indepnet.net/projects/glpi/repository/revisions/14966 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- GLPI -- Properly blacklist some sensitive fields Jan Lieskovsky (Jul 25)
- Re: CVE Request -- GLPI -- Properly blacklist some sensitive fields Josh Bressers (Jul 26)