oss-security July 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE Request -- GLPI -- Properly

Re: [oss-security] CVE Request -- GLPI -- Properly blacklist some sensitive fields

From: Josh Bressers <bressers_at_nospam>
Date: Tue Jul 26 2011 - 19:57:34 GMT
To: oss-security@lists.openwall.com

Plese use CVE-2011-2720.

Thanks.

-- JB ----- Original Message ----- > Hello Josh, Steve, vendors, > > it was found that GLPI, the Information Resource-Manager with an > additional Administration-Interface, did not properly blacklist > certain > sensitive variables (like GLPI username and password). A remote > attacker > could use this flaw to obtain access to plaintext form of these values > via specially-crafted HTTP POST request. > > References: > [1] > http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en > [2] https://forge.indepnet.net/projects/glpi/versions/605 > [3] https://forge.indepnet.net/issues/3017 > > Relevant patches: > [4] > https://forge.indepnet.net/projects/glpi/repository/revisions/14951 > [5] > https://forge.indepnet.net/projects/glpi/repository/revisions/14952 > [6] > https://forge.indepnet.net/projects/glpi/repository/revisions/14954 > [7] > https://forge.indepnet.net/projects/glpi/repository/revisions/14955 > [8] > https://forge.indepnet.net/projects/glpi/repository/revisions/14956 > [9] > https://forge.indepnet.net/projects/glpi/repository/revisions/14957 > [10] > https://forge.indepnet.net/projects/glpi/repository/revisions/14958 > [11] > https://forge.indepnet.net/projects/glpi/repository/revisions/14960 > [12] > https://forge.indepnet.net/projects/glpi/repository/revisions/14966 > > Could you allocate a CVE id for this? > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.