[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request for GLPI
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2013-06-30 23:24:38
Message-ID: 51D0BE36.5020900 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/27/2013 01:41 AM, Mehrenberger, Xavier wrote:
> Hello,
>
> I'd like to request a CVE identifier for a vulnerability in GLPI.
> The unserialize() function was used in several places throughout
> the codebase; one CVE identifier should (IMHO) be sufficient.
>
> It has been publicly fixed in the project's repository.
>
> Thanks
>
> ======================================= Advisory title: unserialize
> vulnerability in GLPI 0.83.9 Product: GLPI 0.83.9 Discovered by:
> Xavier Mehrenberger @Cassidian CyberSecurity Vulnerable version:
> 0.83.9 Tested: v0.83.9, 2013-06-21 Fixed in repository: 2013-06-23
> commits 21169 to 21180 Category: Potential PHP code execution
> Vulnerability type: [CWE-502] Deserialization of Untrusted Data CVE
> IDs: none yet By: Xavier Mehrenberger Cassidian CyberSecurity
> http://www.cassidiancybersecurity.com
> =======================================
>
> ----- CVE-2013-XXXX Required configuration: No specific
> configuration required Steps to reproduce: * Issue a request to
> glpi/front/ticket.form.php?id=1&_predefined_fields=XXXX, *
> replacing XXX with a serialized PHP object
>
> Vulnerable code sample: --- file ticket.class.php, function
> showFormHelpdesk if (isset($options['_predefined_fields'])) {
> $options['_predefined_fields'] =
> unserialize(rawurldecode(stripslashes($options['_predefined_fields'])));
>
>
- ---
>
> When passing a non-existent empty serialized class (ex: class
> called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an
> error occurs, which is caught by the userErrorHandlerNormal
> function in toolbox.class.php.
>
> When a PHP object gets unserialized, its __wakeup() function is
> executed. When this object gets destroyed, its __destruct()
> function is executed (since PHP5). No such object exists throughout
> the GLPI codebase. However, it might exist in a third-party
> library, as demonstrated by Stefan Esser [2]. More information
> about this vulnerability class can be found at [1].
>
> The unsafe use of unserialize() has been fixed throughout the
> codebase in commits 21169 [3] to 21180.
>
> References: [1]
> https://www.owasp.org/index.php/PHP_Object_Injection [2]
> http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.p
>
>
df part II
> [3]
> https://forge.indepnet.net/projects/glpi/repository/revisions/21169/diff
>
>
/branches/0.83-bugfixes/inc/ticket.class.php
Please use CVE-2013-2225 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJR0L42AAoJEBYNRVNeJnmTDbEP/3BV/MWD0NNISceAgS7So1Za
IhHUlZ2lF5po8iorsVH77ppIUL7TBRuTqogN1K3IOZCGAMMPuKgIydtj21+regiW
gyc1PaePkMMBVVTUesFmHLn19pLyjo6bXKribWwJIz3bnSnZzUj5gjxzbXzUvLRG
m7NHcnpywIcefHOGTWn6ysBQZFssAKLGOamBwMQCoKxXG/ecjs5U9mDMT2CaW5D3
VI23yY+l8WeEokOgV+JXzmFaEns3XeImkjw/L2DKoljOTppIdisxV9OvhFTUlHlQ
dz+WPzezBg4cS5DmlS2kpZ5f6IxclVa49On+1HeQpl7IrA/JWO8RjXZiWblDgfOK
kasIuvU4lCCcZ6iBg6ZBypNF2NxDFB+hOo4F4V4CyRK6eiFCAAjIN49hlu75GmM5
524DMXYgiQ9x6hcjs42yNbevUvJ+6wDkhf3jBQEKytlmeW9sazHY/7b2g6uSB0RB
nIkG/WWW3X0O8cos1ouaB2RpYnN/oWEEuiD0u7+JMRmIeVov67xvSkXmgJJojo02
RE6E7Nl3LM0SO+Ji4I0g90HUPJkSiGJvvMLVtZ2v9gdVaKvNFUjyzdQ22xOEZDQQ
WdcUF+jqhqTGgF32vluWAS+b0Hd0AbWfxlgtxCr0u175knSEuSNBksmKXJymIUG9
TTDmdcfqLkSS9mxBvkvN
=JKWx
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic