SQL Injection & PHP Code Execution vulnerability due to outdated GLPI version
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glpi (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Ubuntu Natty, Precise, Quantal, Raring and Saucy currently ship an outdated version of GLPI. The shipped version is vulnerable for an SQL injection bug and the reconfiguration of a configuration file loaded each time GLPI is accessed. This allows an attacker to execute code via PHP as the webserver's user. The main problem is the GLPI installer does not make the db config file read-only for the www-data user and does not disable the installer script by default. Hence an attacker can recall the installer script and submit arbitrary code into the db config file.
Current status: This bug was fixed in an upstream version of GLPI, which is included in Trusty (0.84.2 and up).
Upstream bug report: https:/
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res