oss-sec mailing list archives
Re: CVE request for GLPI
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 30 Jun 2013 17:24:38 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/27/2013 01:41 AM, Mehrenberger, Xavier wrote:
Hello, I'd like to request a CVE identifier for a vulnerability in GLPI. The unserialize() function was used in several places throughout the codebase; one CVE identifier should (IMHO) be sufficient. It has been publicly fixed in the project's repository. Thanks ======================================= Advisory title: unserialize vulnerability in GLPI 0.83.9 Product: GLPI 0.83.9 Discovered by: Xavier Mehrenberger @Cassidian CyberSecurity Vulnerable version: 0.83.9 Tested: v0.83.9, 2013-06-21 Fixed in repository: 2013-06-23 commits 21169 to 21180 Category: Potential PHP code execution Vulnerability type: [CWE-502] Deserialization of Untrusted Data CVE IDs: none yet By: Xavier Mehrenberger Cassidian CyberSecurity http://www.cassidiancybersecurity.com ======================================= ----- CVE-2013-XXXX Required configuration: No specific configuration required Steps to reproduce: * Issue a request to glpi/front/ticket.form.php?id=1&_predefined_fields=XXXX, * replacing XXX with a serialized PHP object Vulnerable code sample: --- file ticket.class.php, function showFormHelpdesk if (isset($options['_predefined_fields'])) { $options['_predefined_fields'] = unserialize(rawurldecode(stripslashes($options['_predefined_fields'])));
- ---
When passing a non-existent empty serialized class (ex: class called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an error occurs, which is caught by the userErrorHandlerNormal function in toolbox.class.php. When a PHP object gets unserialized, its __wakeup() function is executed. When this object gets destroyed, its __destruct() function is executed (since PHP5). No such object exists throughout the GLPI codebase. However, it might exist in a third-party library, as demonstrated by Stefan Esser [2]. More information about this vulnerability class can be found at [1]. The unsafe use of unserialize() has been fixed throughout the codebase in commits 21169 [3] to 21180. References: [1] https://www.owasp.org/index.php/PHP_Object_Injection [2] http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.p
df part II
[3] https://forge.indepnet.net/projects/glpi/repository/revisions/21169/diff
/branches/0.83-bugfixes/inc/ticket.class.php Please use CVE-2013-2225 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR0L42AAoJEBYNRVNeJnmTDbEP/3BV/MWD0NNISceAgS7So1Za IhHUlZ2lF5po8iorsVH77ppIUL7TBRuTqogN1K3IOZCGAMMPuKgIydtj21+regiW gyc1PaePkMMBVVTUesFmHLn19pLyjo6bXKribWwJIz3bnSnZzUj5gjxzbXzUvLRG m7NHcnpywIcefHOGTWn6ysBQZFssAKLGOamBwMQCoKxXG/ecjs5U9mDMT2CaW5D3 VI23yY+l8WeEokOgV+JXzmFaEns3XeImkjw/L2DKoljOTppIdisxV9OvhFTUlHlQ dz+WPzezBg4cS5DmlS2kpZ5f6IxclVa49On+1HeQpl7IrA/JWO8RjXZiWblDgfOK kasIuvU4lCCcZ6iBg6ZBypNF2NxDFB+hOo4F4V4CyRK6eiFCAAjIN49hlu75GmM5 524DMXYgiQ9x6hcjs42yNbevUvJ+6wDkhf3jBQEKytlmeW9sazHY/7b2g6uSB0RB nIkG/WWW3X0O8cos1ouaB2RpYnN/oWEEuiD0u7+JMRmIeVov67xvSkXmgJJojo02 RE6E7Nl3LM0SO+Ji4I0g90HUPJkSiGJvvMLVtZ2v9gdVaKvNFUjyzdQ22xOEZDQQ WdcUF+jqhqTGgF32vluWAS+b0Hd0AbWfxlgtxCr0u175knSEuSNBksmKXJymIUG9 TTDmdcfqLkSS9mxBvkvN =JKWx -----END PGP SIGNATURE-----
Current thread:
- CVE request for GLPI Mehrenberger, Xavier (Jun 27)
- Re: CVE request for GLPI Kurt Seifried (Jun 30)