Hi, * Nelson A. de Oliveira <nao...@debian.org> [2009-01-30 19:06]: > glpi versions prior to 0.71.4 are affected by a SQL injection vulnerability. > See the upstream announce [1] and SecurityFocus [2]. > > [1] http://www.glpi-project.org/spip.php?page=annonce&id_breve=161&lang=en > [2] http://www.securityfocus.com/bid/33477
Looking at how this was fixed I am not really happy with having glpi in Debian. glpi uses addslashes all over the place to prevent sql injection and they just embedded each search string into '' to quote it now. addslashes is know to be problematic depending on the encoding. I see no single use of mysql_real_escape_string in the complete code and also no custom escaping besides this. I am no expert in websecurity but the whole software looks rather fragile to me. For example: http://demo.glpi-project.org/front/computer.php?sort=23&order=,if(1=1,os,os)%20desc&start=0&field[0]=view&contains[0]=%&field2[0]=view&contains2[0]= works even if injecting the order by order is not much of a use but I am pretty sure that there are other sql injections as well. I would be in favor of removing this from lenny until someone does a complete audit. Rapphael? ;) Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpFrF1wv5Ut3.pgp
Description: PGP signature
