← Advisories

GLPI v0.83.8 Multiple Error-based SQL Injection Vulnerabilities

Medium
Advisory ID
ZSL-2013-5146
Release Date
19 June 2013
Vendor
INDEPNET Development Team - http://www.glpi-project.org
Affected Version
0.83.7 and 0.83.8
CVE
CVE-2013-2226
Tested On
Microsoft Windows 7 Ultimate SP1 (EN) - Apache/2.4.3, PHP/5.4.7, Linux CentOS 6.0 (Final) - Apache/2.2.15, PHP/5.3.3
Summary

GLPI, an initialism for Gestionnaire libre de parc informatique (Free Management of Computer Equipment), was designed by Indepnet Association (a non profit organisation) in 2003. GLPI is a free asset and IT management software package, it also offers functionalities like servicedesk ITIL or license tracking and software auditing.

Description

Input passed via the POST parameter 'users_id_assign' in '/ajax/ticketassigninformation.php' script, POST parameter 'filename' in '/front/document.form.php' script, and POST parameter 'table' in '/ajax/comments.php' script is not properly sanitised before being used in SQL queries. This can be exploited by a malicious attacker to manipulate SQL queries by injecting arbitrary SQL code in the affected application.

/inc/db.function.php: --------------------- 274: function countElementsInTable($table, $condition="") { 275: global $DB; 276: 277: if (is_array($table)) { 278: $table = implode('`,`',$table); 279: } 280: 281: $query = "SELECT COUNT(*) AS cpt 282: FROM `$table`"; 283: 284: if (!empty($condition)) { 285: $query .= " WHERE $condition "; 286: } 287: 288: $result =$DB->query($query); 289: $ligne = $DB->fetch_array($result); 290: return $ligne['cpt']; 291: } ---------------------------------------------------------------------- *** MySQL query error : *** SQL: SELECT COUNT(*) AS cpt FROM `glpi_tickets`,`glpi_tickets_users` WHERE `glpi_tickets_users`.`tickets_id` = `glpi_tickets`.`id` AND `glpi_tickets_users`.`users_id` = \'2\'\' AND `glpi_tickets_users`.`type` = \'2\' AND `glpi_tickets`.`is_deleted` = 0 AND `glpi_tickets`.`status` NOT IN (\'solved\', \'closed\') Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2' AND `glpi_tickets`.`is_deleted` = 0 ' at line 3 Backtrace : /var/www/html/glpi/inc/db.function.php :288 DBmysql->query() /var/www/html/glpi/inc/commonitilobject.class.php :362 countElementsInTable() /var/www/html/glpi/ajax/ticketassigninformation.php :66 CommonITILObject->countActiveObjectsForTech() /var/www/html/glpi/ajax/ticketassigninformation.php ====================================================================== /inc/document.class.php: ------------------------ 1221: static function isValidDoc($filename) { 1222: global $DB; 1223: 1224: $splitter = explode(".",$filename); 1225: $ext = end($splitter); 1226: 1227: $query="SELECT * 1228: FROM `glpi_documenttypes` 1229: WHERE `ext` LIKE '$ext' 1230: AND `is_uploadable`='1'"; 1231: 1232: if ($result = $DB->query($query)) { 1233: if ($DB->numrows($result)>0) { 1234: return Toolbox::strtoupper($ext); 1235: } 1236: } 1237: return ""; 1238: } ---------------------------------------------------------------------- *** MySQL query error : *** SQL: SELECT * FROM `glpi_documenttypes` WHERE `ext` LIKE \'1\'\' AND `is_uploadable`=\'1\' Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' at line 3 Backtrace : /var/www/html/glpi/inc/document.class.php :1232 DBmysql->query() /var/www/html/glpi/inc/document.class.php :1088 Document::isValidDoc() /var/www/html/glpi/inc/document.class.php :275 Document::uploadDocument() /var/www/html/glpi/inc/commondbtm.class.php :878 Document->prepareInputForUpdate() /var/www/html/glpi/front/document.form.php :99 CommonDBTM->update() /var/www/html/glpi/front/document.form.php ====================================================================== /inc/dbmysql.class.php: ----------------------- 364: function list_tables($table="glpi_%") { 365: return $this->query("SHOW TABLES LIKE '".$table."'"); 366: } ---------------------------------------------------------------------- *** MySQL query error : *** SQL: SHOW TABLES LIKE \'%glpi_users\'%\' Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1 Backtrace : /var/www/html/glpi/glpi/inc/dbmysql.class.php :365 DBmysql->query() /var/www/html/glpi/inc/db.function.php :1182 DBmysql->list_tables() /var/www/html/glpi/ajax/comments.php :47 TableExists() /var/www/html/glpi/ajax/comments.php
Proof of Concept
glpi_sqli.txtTXT
Disclosure Timeline
20.06.2013Vendor releases version 0.83.9 to address these issues.
Credits
Vulnerability discovered by Humberto Cabrera
References
[1]http://www.glpi-project.org/?article41⟨=en
[2]http://packetstormsecurity.com/files/122097
[3]http://cxsecurity.com/issue/WLB-2013060168
[4]http://www.1337day.com/exploit/20914
[5]http://secunia.com/advisories/53891/
[6]http://secunia.com/advisories/53916/
[7]http://www.exploit-db.com/exploits/26366/
[8]http://www.osvdb.org/show/osvdb/94451
[9]http://www.securityfocus.com/bid/60693
[10]http://xforce.iss.net/xforce/xfdb/85152
[11]http://osvdb.org/show/osvdb/94462
[12]http://osvdb.org/show/osvdb/94463
[13]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2226
Changelog
19.06.2013Initial release
20.06.2013Added vendor status and reference [1], [2], [3] and [4]
22.06.2013Added reference [5], [6], [7], [8], [9] and [10]
23.06.2013Added reference [11] and [12]
02.07.2013Added reference [13]