Re: CVE request for GLPI

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/27/2013 01:41 AM, Mehrenberger, Xavier wrote:
> Hello,
>
> I'd like to request a CVE identifier for a vulnerability in GLPI. 
> The unserialize() function was used in several places throughout
> the codebase; one CVE identifier should (IMHO) be sufficient.
>
> It has been publicly fixed in the project's repository.
>
> Thanks
>
> ======================================= Advisory title: unserialize
> vulnerability in GLPI 0.83.9 Product: GLPI 0.83.9 Discovered by:
> Xavier Mehrenberger @Cassidian CyberSecurity Vulnerable version:
> 0.83.9 Tested: v0.83.9, 2013-06-21 Fixed in repository: 2013-06-23
> commits 21169 to 21180 Category: Potential PHP code execution 
> Vulnerability type: [CWE-502] Deserialization of Untrusted Data CVE
> IDs: none yet By: Xavier Mehrenberger Cassidian CyberSecurity 
> http://www.cassidiancybersecurity.com 
> =======================================
>
> ----- CVE-2013-XXXX Required configuration: No specific
> configuration required Steps to reproduce: * Issue a request to 
> glpi/front/ticket.form.php?id=1&_predefined_fields=XXXX, *
> replacing XXX with a serialized PHP object
>
> Vulnerable code sample: --- file ticket.class.php, function
> showFormHelpdesk if (isset($options['_predefined_fields'])) { 
> $options['_predefined_fields'] = 
> unserialize(rawurldecode(stripslashes($options['_predefined_fields'])));
- ---
> When passing a non-existent empty serialized class (ex: class
> called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an
> error occurs, which is caught by the userErrorHandlerNormal
> function in toolbox.class.php.
>
> When a PHP object gets unserialized, its __wakeup() function is 
> executed. When this object gets destroyed, its __destruct()
> function is executed (since PHP5). No such object exists throughout
> the GLPI codebase. However, it might exist in a third-party
> library, as demonstrated by Stefan Esser [2]. More information
> about this vulnerability class can be found at [1].
>
> The unsafe use of unserialize() has been fixed throughout the
> codebase in commits 21169 [3] to 21180.
>
> References: [1]
> https://www.owasp.org/index.php/PHP_Object_Injection [2] 
> http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.p
df part II
> [3] 
> https://forge.indepnet.net/projects/glpi/repository/revisions/21169/diff
/branches/0.83-bugfixes/inc/ticket.class.php

Please use CVE-2013-2225 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR0L42AAoJEBYNRVNeJnmTDbEP/3BV/MWD0NNISceAgS7So1Za
IhHUlZ2lF5po8iorsVH77ppIUL7TBRuTqogN1K3IOZCGAMMPuKgIydtj21+regiW
gyc1PaePkMMBVVTUesFmHLn19pLyjo6bXKribWwJIz3bnSnZzUj5gjxzbXzUvLRG
m7NHcnpywIcefHOGTWn6ysBQZFssAKLGOamBwMQCoKxXG/ecjs5U9mDMT2CaW5D3
VI23yY+l8WeEokOgV+JXzmFaEns3XeImkjw/L2DKoljOTppIdisxV9OvhFTUlHlQ
dz+WPzezBg4cS5DmlS2kpZ5f6IxclVa49On+1HeQpl7IrA/JWO8RjXZiWblDgfOK
kasIuvU4lCCcZ6iBg6ZBypNF2NxDFB+hOo4F4V4CyRK6eiFCAAjIN49hlu75GmM5
524DMXYgiQ9x6hcjs42yNbevUvJ+6wDkhf3jBQEKytlmeW9sazHY/7b2g6uSB0RB
nIkG/WWW3X0O8cos1ouaB2RpYnN/oWEEuiD0u7+JMRmIeVov67xvSkXmgJJojo02
RE6E7Nl3LM0SO+Ji4I0g90HUPJkSiGJvvMLVtZ2v9gdVaKvNFUjyzdQ22xOEZDQQ
WdcUF+jqhqTGgF32vluWAS+b0Hd0AbWfxlgtxCr0u175knSEuSNBksmKXJymIUG9
TTDmdcfqLkSS9mxBvkvN
=JKWx
-----END PGP SIGNATURE-----