[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- GLPI -- Properly blacklist some
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-07-26 19:57:34
Message-ID: 1048604435.1604666.1311710254688.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Plese use CVE-2011-2720.

Thanks.

-- 
    JB

----- Original Message -----
> Hello Josh, Steve, vendors,
> 
> it was found that GLPI, the Information Resource-Manager with an
> additional Administration-Interface, did not properly blacklist
> certain
> sensitive variables (like GLPI username and password). A remote
> attacker
> could use this flaw to obtain access to plaintext form of these values
> via specially-crafted HTTP POST request.
> 
> References:
> [1]
> http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en
> [2] https://forge.indepnet.net/projects/glpi/versions/605
> [3] https://forge.indepnet.net/issues/3017
> 
> Relevant patches:
> [4]
> https://forge.indepnet.net/projects/glpi/repository/revisions/14951
> [5]
> https://forge.indepnet.net/projects/glpi/repository/revisions/14952
> [6]
> https://forge.indepnet.net/projects/glpi/repository/revisions/14954
> [7]
> https://forge.indepnet.net/projects/glpi/repository/revisions/14955
> [8]
> https://forge.indepnet.net/projects/glpi/repository/revisions/14956
> [9]
> https://forge.indepnet.net/projects/glpi/repository/revisions/14957
> [10]
> https://forge.indepnet.net/projects/glpi/repository/revisions/14958
> [11]
> https://forge.indepnet.net/projects/glpi/repository/revisions/14960
> [12]
> https://forge.indepnet.net/projects/glpi/repository/revisions/14966
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]