oss-security July 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: [oss-security] CVE Request -- GLPI -- Properly bla

[oss-security] CVE Request -- GLPI -- Properly blacklist some sensitive fields

From: Jan Lieskovsky <jlieskov_at_nospam>
Date: Mon Jul 25 2011 - 12:52:42 GMT
To: "Steven M. Christey" <coley@linus.mitre.org>

Hello Josh, Steve, vendors,

   it was found that GLPI, the Information Resource-Manager with an
additional Administration-Interface, did not properly blacklist certain
sensitive variables (like GLPI username and password). A remote attacker
could use this flaw to obtain access to plaintext form of these values
via specially-crafted HTTP POST request.

References:
[1] http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en
[2] https://forge.indepnet.net/projects/glpi/versions/605
[3] https://forge.indepnet.net/issues/3017

Relevant patches:
[4] https://forge.indepnet.net/projects/glpi/repository/revisions/14951
[5] https://forge.indepnet.net/projects/glpi/repository/revisions/14952
[6] https://forge.indepnet.net/projects/glpi/repository/revisions/14954
[7] https://forge.indepnet.net/projects/glpi/repository/revisions/14955
[8] https://forge.indepnet.net/projects/glpi/repository/revisions/14956
[9] https://forge.indepnet.net/projects/glpi/repository/revisions/14957
[10] https://forge.indepnet.net/projects/glpi/repository/revisions/14958
[11] https://forge.indepnet.net/projects/glpi/repository/revisions/14960
[12] https://forge.indepnet.net/projects/glpi/repository/revisions/14966

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
-- Jan iankko Lieskovsky / Red Hat Security Response Team

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.