Vulmon
CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI
Severity: Important
Vendor: GLPI - http://www.glpi-project.org
Versions Affected
=================
All versions between 0.78 and 0.80.61
Description
===========
GLPI fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file:
[...]
checkLoginUser();
if (isset($_GET["popup"])) {
$_SESSION["glpipopup"]["name"] = $_GET["popup"];
}
if (isset($_SESSION["glpipopup"]["name"])) {
switch ($_SESSION["glpipopup"]["name"]) {
[...]
case "add_ruleparameter" :
popHeader($LANG['ldap'][35], $_SERVER['PHP_SELF']);
include strtolower($_GET['sub_type']."Parameter.php"); // <=======
break;
[...]
To be triggered, the attacker needs to be authenticated. However, GLPI provides default accounts that often aren't changed or disabled:
glpi/glpi
tech/tech
normal/normal
post-only/postonly
Impact
======
Since there is a suffix, the vulnerability can be used as a RFI (requires allow_url_include = On).
For LFI, the target file has to end up with "parameter.php". GLPI automatically escapes all GET and POST parameters with addslashes(), so the null byte technique is not usable. I have not tested exploitation using path truncation technique but it might be possible.
Mitigation
==========
Upgrade to GLPI 0.80.7.
Exploit
=======
http://<server>/front/popup.php?popup=add_ruleparameter&sub_type=<file>
Timeline
========
08 feb 2012 - Found the bug.
09 feb 2012 - Contacted the GLPI Team.
09 feb 2012 - Bug fixed & new version available.
Thanks to the GLPI team for being responsive!
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037
https://forge.indepnet.net/projects/glpi/versions/685
https://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php
--
Emilien Girault
<p>