Outils pour utilisateurs

Outils du site


writeup:cve-2014-8360-en

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision
Révision précédente
writeup:cve-2014-8360-en [2014/12/27 17:06]
tlk [GLPI - CVE-2014-8360]
writeup:cve-2014-8360-en [2014/12/28 17:08] (Version actuelle)
tlk
Ligne 1: Ligne 1:
 ====== GLPI - CVE-2014-8360 ====== ====== GLPI - CVE-2014-8360 ======
  
-The vulnerability can be exploited when the function ''​getItemForItemtype()''​ is called with a user controllable parameter (authenticated or not). For example, in ''​ajax/​common.tabs.php''​ line 63 :+The vulnerability can be exploited when the function ''​getItemForItemtype()''​ is called with a user controllable parameter (authenticated or not). For example, in ''​ajax/​common.tabs.php''​ line 63:
  
 <code php> <code php>
Ligne 13: Ligne 13:
 </​code>​ </​code>​
  
-The function ''​getItemForItemtype()''​ tries to instanciate ​an object with the name given in parameter. It can be found in ''​inc/​db.functions.php''​ line 200.+The function ''​getItemForItemtype()''​ tries to instantiate ​an object with the name given in parameter. It can be found in ''​inc/​db.functions.php''​ line 200.
  
 <code php> <code php>
Ligne 34: Ligne 34:
 </​code>​ </​code>​
  
-The fact is that the function ''​class_exists''​ checks if the class exists by calling registered autoload functions. Let's see one of this function: ''​SimplePie_Autoloader::​autoload''​ (which is in ''​inc/​autoload.function.php''​).+The fact is that the function ''​class_exists''​ checks if the class exists by calling registered autoload functions. Let's see one of those function: ''​SimplePie_Autoloader::​autoload''​ (which is in ''​inc/​autoload.function.php''​).
  
 <code php> <code php>
Ligne 78: Ligne 78:
 If the class name begins with ''​SimplePie''​ then all ''​_''​ occurrences are remplaced with ''/''​ and the function ''​require_once''​ is called. Thus, it is possible to include a local file by calling the page with, for example, ''​itemtype=SimplePie_.._.._.._.._.._.._.._.._.._tmp_ponce''​. If the class name begins with ''​SimplePie''​ then all ''​_''​ occurrences are remplaced with ''/''​ and the function ''​require_once''​ is called. Thus, it is possible to include a local file by calling the page with, for example, ''​itemtype=SimplePie_.._.._.._.._.._.._.._.._.._tmp_ponce''​.
  
-However, there is some problems to exploit correctly this vulnerability:​+However, there are some problems to exploit correctly this vulnerability:​
   * Some versions of PHP (I don't know which ones exactly) are filtering the class name before autoload functions are called. Thus it is impossible to provide a name with a ''​.''​.   * Some versions of PHP (I don't know which ones exactly) are filtering the class name before autoload functions are called. Thus it is impossible to provide a name with a ''​.''​.
-  * We need a way to write a local file with the extension ''​.php''​ and control ​his content.+  * We need a way to write a local file with the extension ''​.php''​ and control ​its content.
  
 ===== First Patch ===== ===== First Patch =====
  
-The first patch adds a check in the autoload function of SimplePie : https://​forge.indepnet.net/​projects/​glpi/​repository/​revisions/​23191/​diff/​branches/​0.84-bugfixes/​inc/​autoload.function.php+The first patch adds a check in the autoload function of SimplePie: https://​forge.indepnet.net/​projects/​glpi/​repository/​revisions/​23191/​diff/​branches/​0.84-bugfixes/​inc/​autoload.function.php
  
 <code diff> <code diff>
Ligne 110: Ligne 110:
 ===== Second patch ===== ===== Second patch =====
  
-Complete patch is available here : https://​forge.indepnet.net/​projects/​glpi/​repository/​revisions/​23200/​diff/​trunk/​inc/​autoload.function.php+Complete patch is available here: https://​forge.indepnet.net/​projects/​glpi/​repository/​revisions/​23200/​diff/​trunk/​inc/​autoload.function.php
  
 <code diff> <code diff>
Ligne 171: Ligne 171:
 </​code>​ </​code>​
  
-Two changes : +Two changes: 
-  * in ''​glpi_autoload'',​ if a ''​.''​ is find into the parameter, then ''​die''​ is called+  * in ''​glpi_autoload'',​ if a ''​.''​ is found into the parameter, then ''​die''​ is called
   * the registration order of autoload functions is modified, meaning that calling order is also modified ...   * the registration order of autoload functions is modified, meaning that calling order is also modified ...
  
writeup/cve-2014-8360-en.1419700003.txt.gz · Dernière modification: 2014/12/27 17:06 par tlk