GLPI v0.83.7 (itemtype) Parameter Traversal Arbitrary File Access Exploit

Title: GLPI v0.83.7 (itemtype) Parameter Traversal Arbitrary File Access Exploit
Advisory ID: ZSL-2013-5145
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 19.06.2013
Summary
GLPI, an initialism for Gestionnaire libre de parc informatique (Free Management of Computer Equipment), was designed by Indepnet Association (a non profit organisation) in 2003. GLPI is a free asset and IT management software package, it also offers functionalities like servicedesk ITIL or license tracking and software auditing.
Description
GLPI suffers from a file inclusion vulnerability (LFI) when input passed thru the 'filetype' parameter to 'common.tabs.php' script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

--------------------------------------------------------------------------------

/ajax/common.tabs.php:
----------------------

46: if (!isset($_REQUEST['itemtype']) || empty($_REQUEST['itemtype'])) {
47: exit();
62: $item = new $_REQUEST['itemtype'])();

--------------------------------------------------------------------------------

Vendor
INDEPNET Development Team - http://www.glpi-project.org
Affected Version
0.83.7
Tested On
Microsoft Windows 7 Ultimate SP1 (EN) - Apache/2.4.3, PHP/5.4.7
Linux CentOS 6.0 (Final) - Apache/2.2.15, PHP/5.3.3
Vendor Status
N/A
PoC
glpi_lfi.txt
Credits
Vulnerability discovered by Humberto Cabrera - <dni@zeroscience.mk>
References
[1] http://packetstormsecurity.com/files/122087
[2] http://cxsecurity.com/issue/WLB-2013060166
[3] http://www.1337day.com/exploit/20913
[4] http://www.securityhome.eu/exploits/exploit.php?eid=165991511951c2b755c7d9e0.92804477
[5] http://www.exploit-db.com/exploits/26366/
[6] http://xforce.iss.net/xforce/xfdb/85140
[7] http://www.securityfocus.com/bid/60692
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2227
[9] http://www.osvdb.org/show/osvdb/94711
Changelog
[19.06.2013] - Initial release
[20.06.2013] - Added reference [1], [2], [3] and [4]
[22.06.2013] - Added reference [5] and [6]
[02.07.2013] - Added reference [7] and [8]
[03.07.2013] - Added reference [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk