← Advisories

GLPI v0.83.7 (itemtype) Parameter Traversal Arbitrary File Access Exploit

Medium
Advisory ID
ZSL-2013-5145
Release Date
19 June 2013
Vendor
INDEPNET Development Team - http://www.glpi-project.org
Affected Version
0.83.7
CVE
CVE-2013-2227
Tested On
Microsoft Windows 7 Ultimate SP1 (EN) - Apache/2.4.3, PHP/5.4.7, Linux CentOS 6.0 (Final) - Apache/2.2.15, PHP/5.3.3
Summary

GLPI, an initialism for Gestionnaire libre de parc informatique (Free Management of Computer Equipment), was designed by Indepnet Association (a non profit organisation) in 2003. GLPI is a free asset and IT management software package, it also offers functionalities like servicedesk ITIL or license tracking and software auditing.

Description

GLPI suffers from a file inclusion vulnerability (LFI) when input passed thru the 'filetype' parameter to 'common.tabs.php' script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

/ajax/common.tabs.php: ---------------------- 46: if (!isset($_REQUEST['itemtype']) || empty($_REQUEST['itemtype'])) { 47: exit(); 62: $item = new $_REQUEST['itemtype'])();
Proof of Concept
glpi_lfi.txtTXT
Disclosure Timeline
N/A
Credits
Vulnerability discovered by Humberto Cabrera
References
[1]http://packetstormsecurity.com/files/122087
[2]http://cxsecurity.com/issue/WLB-2013060166
[3]http://www.1337day.com/exploit/20913
[4]http://www.securityhome.eu/exploits/exploit.php?eid=165991511951c2b755c7d9e0.92804477
[5]http://www.exploit-db.com/exploits/26366/
[6]http://xforce.iss.net/xforce/xfdb/85140
[7]http://www.securityfocus.com/bid/60692
[8]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2227
[9]http://www.osvdb.org/show/osvdb/94711
Changelog
19.06.2013Initial release
20.06.2013Added reference [1], [2], [3] and [4]
22.06.2013Added reference [5] and [6]
02.07.2013Added reference [7] and [8]
03.07.2013Added reference [9]