GLPI version 0.83.7 and 0.83.8 Multiple Vulnerabilities (SQLi/LFI)

GLPI suffers from a file inclusion vulnerability (LFI) when input passed thru the ‘filetype’ parameter to ‘common.tabs.php’ script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

Input passed via the POST parameter ‘users_id_assign’ in ‘/ajax/ticketassigninformation.php’ script, POST parameter ‘filename’ in ‘/front/document.form.php’ script, and POST parameter ‘table’ in ‘/ajax/comments.php’ script is not properly sanitised before being used in SQL queries. This can be exploited by a malicious attacker to manipulate SQL queries by injecting arbitrary SQL code in the affected application.

There are several other parameters vulnerable to SQL Injection attacks. For your convenience, test logs: more_sqli-glpi

Advisory [ZSL-2013-5145]: GLPI v0.83.7 (itemtype) Parameter Traversal Arbitrary File Access Exploit
Advisory [ZSL-2013-5146]: GLPI v0.83.8 Multiple Error-based SQL Injection Vulnerabilities

Comment are closed.