====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN420
_____________________________________________________________________

DATE                : 22/07/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GLPI versions prior to 9.5.1.

=====================================================================
https://glpi-project.org/glpi-9-5-1-bugfixes-version/
https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v
_____________________________________________________________________

 GLPI 9.5.1: bugfixes version.
 Posted 16 July 2020

    After several days, Teclib’ is happy to announce the release of GLPI
9.5.1.

    This release fixes a security issue that has been recently
discovered. Update is strongly recommended.

You can download the GLPI 9.5.1 archive on GitHub.

You’ll find below the list of changes in this bugfixes version:

    [security] SQL injection on new clone feature
    alignment of some table columns
    added domains in global search and Assets > global
    fixed several problems with email retrieval via email collectors
    fixed several display problems in the planning
    correction (and error display) of marketplace registration key input
    and others.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version
and all those who contributes regularly to the GLPI project!

Regards.

_____________________________________________________________________

Not escaped fields in clone feature conduct to SQL injection
trasher published GHSA-qv6w-68gq-wx2v Jul 16, 2020

Severity
    high

Packages
    glpi-project/glpi

Affected versions
    9.5.0

Patched versions
    9.5.1

CVE identifier
    CVE-2020-15108

Impact

SQL injection for all usage of "Clone" feature.

As an example we based our test on "Rules", but I think it's the same
for all object who have "string" field.

    Create a new "Business rules for tickets"
    Add this value in description field (adapt if you don't have "glpi"
user in your DB):

', '', 0, (SELECT password FROM glpi_users WHERE name = 'glpi'), 1, '',
1, null, null); #

    Save your new rule
    Use "Clone" feature in the massive actions of this new rule
    The clone is done correctly, the "glpi" user password is injected in
the comment field of cloned rule


Patches

See applied patch: a4baa64


Workarounds

Apply patch.


References

Since #6684


For more information

If you have any questions or comments about this advisory, please email
us at glpi-security at ow2.org


Credits

    @flegastelois flegastelois François Legastelois



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================