On Friday 30 January 2009 15:09:34 Nico Golde wrote: > Hi, > > * Nelson A. de Oliveira <nao...@debian.org> [2009-01-30 19:06]: > > glpi versions prior to 0.71.4 are affected by a SQL injection > > vulnerability. See the upstream announce [1] and SecurityFocus [2]. > > > > [1] > > http://www.glpi-project.org/spip.php?page=annonce&id_breve=161&lang=en > > [2] http://www.securityfocus.com/bid/33477 > > Looking at how this was fixed I am not really happy with > having glpi in Debian. glpi uses addslashes all over the > place to prevent sql injection and they just embedded each > search string into '' to quote it now. addslashes is know to > be problematic depending on the encoding.
That's right > > I see no single use of mysql_real_escape_string in the > complete code and also no custom escaping besides this. > > I am no expert in websecurity but the whole software looks > rather fragile to me. > Yes it is. XSS attacks can be deployed via the Referer header because of the lack of input sanitation. The anti-XSS techniques it uses are far away from being perfect as it basically assumes that XSS attacks can only be performed when < or > exist. It also appears to make attempts to handle utf8, which means that the usual encoding attacks could be deployed (leading to SQL injections or XSS attacks). phpCAS is embedded which has its own set of vulnerabilities as well. > For example: > http://demo.glpi-project.org/front/computer.php?sort=23&order=,if(1=1,os,os >)%20desc&start=0&field[0]=view&contains[0]=%&field2[0]=view&contains2[0]= > works even if injecting the order by order is not much of a > use but I am pretty sure that there are other sql > injections as well. > There are plenty of them which can be combined with multibyte attacks to be able to actually do something useful. Those reading at home who are not familiar with multi byte attacks can read [1]. [1]http://cognifty.com/blog.entry/id=6/addslashes_dont_call_it_a_comeback.html > I would be in favor of removing this from lenny until > someone does a complete audit. I agree. > > Rapphael? ;) > Hi :) > > Cheers > Nico Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
