cbcvebase.
CVE-2013-5696
published 2013-09-23

CVE-2013-5696: inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote…

PriorityP349medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
7.85%
94.0th percentile
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action.

Affected

61 ranges· showing 25
VendorProductVersion rangeFixed in
glpi-projectglpi<= 0.84.1
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi

Detection & IOCsextracted from sources · hover to see the quote

path/install/install.php
path/config_db.php
commandpassthru($_GET['cmd'])
commandinstall=update_1&db_host=localhost&db_user=root&db_pass=root&databasename='; } if(isset($_GET['{rand_arg}'])){ {payload} } /*
  • Detect HTTP POST requests to /install/install.php with the parameter 'install=update_1', which triggers arbitrary PHP code injection into config_db.php
  • Detect HTTP POST requests to /install/install.php with the parameter 'install=Etape_4', which triggers SQL injection
  • Monitor for unexpected modifications to /config_db.php on the web server filesystem, which may indicate successful PHP code injection via the install.php vector
  • Flag any GLPI instance where /install/install.php is accessible post-installation; versions 0.84.1 and prior (matching regex 0.(8[0-4].[0-1])|([0-7][0-9].[0-9])) are confirmed vulnerable
  • ·The Metasploit module is rated ManualRanking because exploitation overwrites the target's database configuration (config_db.php), which may cause target instability or data loss
  • ·The default TARGETURI for the Metasploit module is '/glpi/', so detection rules should account for GLPI installations at non-root paths
  • ·For RPM-packaged GLPI (Fedora/EPEL), the /install folder is protected and only accessible from localhost, significantly reducing exploitability in those environments

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.