Multiple vulnerabilities have been identified in GLPI (http://www.glpi-project.org).
1/ Arbitrary file upload
Severity: Important
Versions Affected
===========
All versions between 0.85 and 0.85.2
Description
=======
When an user wants to create a new ticket, he has the possibility to add an attachment. If for example he wants to add a file named "test.php" with or without adding the ticket, the file will be temporary uploaded to GLPI_ROOT/files/_tmp/test.php. We can then directly access this file through http://host/GLPI_ROOT/files/_t
To trigger this vulnerability we need an account that disposes of the rights to create a ticket.
This vulnerability is a combination of three issues:
- predictable uploaded file names (not randomized)
- upload of unauthorized file extensions
- temporary uploaded files not deleted if using an unauthorized file extension.
Impact
=====
By uploading a php file that will be interpreted a malicious user would be able to execute arbitrary code on the server.
Mitigation
======
Upgrade to GLPI 0.85.3 (https://forge.indepnet.net/is
==========
2/ Privilege escalation
Severity: Important
Versions Affected
===========
All versions <= 0.85.2
Description
=======
Taking the default account tech, he is only allowed to add users in the following groups: Self-Service, Technician. He has not the right over, for example, the super-admin group. So he cannot add the super-admin privileges to an existing user.
The problem is when creating a new user. When intercepting the POST request (GLPI_ROOT/front/user.form.php
Impact
=====
Any user who has the rights to create a new user can create a super-admin user.
Mitigation
======
Upgrade to GLPI 0.85.3 (https://forge.indepnet.net/is
Regards,
--
Peter STIEHL
1/ Arbitrary file upload
Severity: Important
Versions Affected
===========
All versions between 0.85 and 0.85.2
Description
=======
When an user wants to create a new ticket, he has the possibility to add an attachment. If for example he wants to add a file named "test.php" with or without adding the ticket, the file will be temporary uploaded to GLPI_ROOT/files/_tmp/test.php. We can then directly access this file through http://host/GLPI_ROOT/files/_t
To trigger this vulnerability we need an account that disposes of the rights to create a ticket.
This vulnerability is a combination of three issues:
- predictable uploaded file names (not randomized)
- upload of unauthorized file extensions
- temporary uploaded files not deleted if using an unauthorized file extension.
Impact
=====
By uploading a php file that will be interpreted a malicious user would be able to execute arbitrary code on the server.
Mitigation
======
Upgrade to GLPI 0.85.3 (https://forge.indepnet.net/is
==========
2/ Privilege escalation
Severity: Important
Versions Affected
===========
All versions <= 0.85.2
Description
=======
Taking the default account tech, he is only allowed to add users in the following groups: Self-Service, Technician. He has not the right over, for example, the super-admin group. So he cannot add the super-admin privileges to an existing user.
The problem is when creating a new user. When intercepting the POST request (GLPI_ROOT/front/user.form.php
Impact
=====
Any user who has the rights to create a new user can create a super-admin user.
Mitigation
======
Upgrade to GLPI 0.85.3 (https://forge.indepnet.net/is
Regards,
--
Peter STIEHL