exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GLPI 0.83.9 Code Execution

GLPI 0.83.9 Code Execution
Posted Jul 1, 2013

GLPI version 0.83.9 suffers from a remote PHP code execution vulnerability in the unserialize() function.

tags | exploit, remote, php, code execution
advisories | CVE-2013-2225
SHA-256 | 382173b69e5b1dc2a471b37ca3ebd677f1742f77e6ce5504c3668e6680febce1

GLPI 0.83.9 Code Execution

Change Mirror Download
=======================================
Advisory title: unserialize vulnerability in GLPI 0.83.9
Product: GLPI 0.83.9
Discovered by: Xavier Mehrenberger <at> Cassidian CyberSecurity
Vulnerable version: 0.83.9
Tested: v0.83.9, 2013-06-21
Fixed in repository: 2013-06-23 commits 21169 to 21180
Category: Potential PHP code execution
Vulnerability type: [CWE-502] Deserialization of Untrusted Data
CVE IDs: none yet
By: Xavier Mehrenberger
Cassidian CyberSecurity
http://www.cassidiancybersecurity.com
=======================================

----- CVE-2013-XXXX Required configuration: No specific configuration required

Steps to reproduce:
* Issue a request to
glpi/front/ticket.form.php?id=1&_predefined_fields=XXXX,
* replacing XXX with a serialized PHP object

Vulnerable code sample:
--- file ticket.class.php, function showFormHelpdesk
if (isset($options['_predefined_fields'])) {
$options['_predefined_fields']
=
unserialize(rawurldecode(stripslashes($options['_predefined_fields'])));
---

When passing a non-existent empty serialized class (ex: class called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an error occurs, which is caught by the userErrorHandlerNormal function in toolbox.class.php.

When a PHP object gets unserialized, its __wakeup() function is executed. When this object gets destroyed, its __destruct() function is executed (since PHP5). No such object exists throughout the GLPI codebase. However, it might exist in a third-party library, as demonstrated by Stefan Esser [2].


More information about this vulnerability class can be found at [1].

The unsafe use of unserialize() has been fixed throughout the codebase in commits 21169 [3] to 21180.

References:
[1] https://www.owasp.org/index.php/PHP_Object_Injection
[2] http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close