Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
writeup:cve-2014-8360-en [2014/12/27 17:06] tlk [GLPI - CVE-2014-8360] |
writeup:cve-2014-8360-en [2014/12/28 17:08] (Version actuelle) tlk |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
====== GLPI - CVE-2014-8360 ====== | ====== GLPI - CVE-2014-8360 ====== | ||
- | The vulnerability can be exploited when the function ''getItemForItemtype()'' is called with a user controllable parameter (authenticated or not). For example, in ''ajax/common.tabs.php'' line 63 : | + | The vulnerability can be exploited when the function ''getItemForItemtype()'' is called with a user controllable parameter (authenticated or not). For example, in ''ajax/common.tabs.php'' line 63: |
<code php> | <code php> | ||
Ligne 13: | Ligne 13: | ||
</code> | </code> | ||
- | The function ''getItemForItemtype()'' tries to instanciate an object with the name given in parameter. It can be found in ''inc/db.functions.php'' line 200. | + | The function ''getItemForItemtype()'' tries to instantiate an object with the name given in parameter. It can be found in ''inc/db.functions.php'' line 200. |
<code php> | <code php> | ||
Ligne 34: | Ligne 34: | ||
</code> | </code> | ||
- | The fact is that the function ''class_exists'' checks if the class exists by calling registered autoload functions. Let's see one of this function: ''SimplePie_Autoloader::autoload'' (which is in ''inc/autoload.function.php''). | + | The fact is that the function ''class_exists'' checks if the class exists by calling registered autoload functions. Let's see one of those function: ''SimplePie_Autoloader::autoload'' (which is in ''inc/autoload.function.php''). |
<code php> | <code php> | ||
Ligne 78: | Ligne 78: | ||
If the class name begins with ''SimplePie'' then all ''_'' occurrences are remplaced with ''/'' and the function ''require_once'' is called. Thus, it is possible to include a local file by calling the page with, for example, ''itemtype=SimplePie_.._.._.._.._.._.._.._.._.._tmp_ponce''. | If the class name begins with ''SimplePie'' then all ''_'' occurrences are remplaced with ''/'' and the function ''require_once'' is called. Thus, it is possible to include a local file by calling the page with, for example, ''itemtype=SimplePie_.._.._.._.._.._.._.._.._.._tmp_ponce''. | ||
- | However, there is some problems to exploit correctly this vulnerability: | + | However, there are some problems to exploit correctly this vulnerability: |
* Some versions of PHP (I don't know which ones exactly) are filtering the class name before autoload functions are called. Thus it is impossible to provide a name with a ''.''. | * Some versions of PHP (I don't know which ones exactly) are filtering the class name before autoload functions are called. Thus it is impossible to provide a name with a ''.''. | ||
- | * We need a way to write a local file with the extension ''.php'' and control his content. | + | * We need a way to write a local file with the extension ''.php'' and control its content. |
===== First Patch ===== | ===== First Patch ===== | ||
- | The first patch adds a check in the autoload function of SimplePie : https://forge.indepnet.net/projects/glpi/repository/revisions/23191/diff/branches/0.84-bugfixes/inc/autoload.function.php | + | The first patch adds a check in the autoload function of SimplePie: https://forge.indepnet.net/projects/glpi/repository/revisions/23191/diff/branches/0.84-bugfixes/inc/autoload.function.php |
<code diff> | <code diff> | ||
Ligne 110: | Ligne 110: | ||
===== Second patch ===== | ===== Second patch ===== | ||
- | Complete patch is available here : https://forge.indepnet.net/projects/glpi/repository/revisions/23200/diff/trunk/inc/autoload.function.php | + | Complete patch is available here: https://forge.indepnet.net/projects/glpi/repository/revisions/23200/diff/trunk/inc/autoload.function.php |
<code diff> | <code diff> | ||
Ligne 171: | Ligne 171: | ||
</code> | </code> | ||
- | Two changes : | + | Two changes: |
- | * in ''glpi_autoload'', if a ''.'' is find into the parameter, then ''die'' is called | + | * in ''glpi_autoload'', if a ''.'' is found into the parameter, then ''die'' is called |
* the registration order of autoload functions is modified, meaning that calling order is also modified ... | * the registration order of autoload functions is modified, meaning that calling order is also modified ... | ||