CVE-2013-5696
published 2013-09-23CVE-2013-5696: inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote…
PriorityP349medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
7.85%
94.0th percentile
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action.
Affected
61 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | <= 0.84.1 | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandinstall=update_1&db_host=localhost&db_user=root&db_pass=root&databasename='; } if(isset($_GET['{rand_arg}'])){ {payload} } /*↗
- →Detect HTTP POST requests to /install/install.php with the parameter 'install=update_1', which triggers arbitrary PHP code injection into config_db.php ↗
- →Detect HTTP POST requests to /install/install.php with the parameter 'install=Etape_4', which triggers SQL injection ↗
- →Monitor for unexpected modifications to /config_db.php on the web server filesystem, which may indicate successful PHP code injection via the install.php vector ↗
- →Flag any GLPI instance where /install/install.php is accessible post-installation; versions 0.84.1 and prior (matching regex 0.(8[0-4].[0-1])|([0-7][0-9].[0-9])) are confirmed vulnerable ↗
- ·The Metasploit module is rated ManualRanking because exploitation overwrites the target's database configuration (config_db.php), which may cause target instability or data loss ↗
- ·The default TARGETURI for the Metasploit module is '/glpi/', so detection rules should account for GLPI installations at non-root paths ↗
- ·For RPM-packaged GLPI (Fedora/EPEL), the /install folder is protected and only accessible from localhost, significantly reducing exploitability in those environments ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c446-83mg-g9vm: inc/central
ghsa_unreviewed·2022-05-17
CVE-2013-5696 [MEDIUM] CWE-352 GHSA-c446-83mg-g9vm: inc/central
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action.
OSV
CVE-2013-5696: inc/central
osv·2013-09-23·CVSS 6.8
CVE-2013-5696 [MEDIUM] CVE-2013-5696: inc/central
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action.
No detection rules found.
Exploit-DB
GLPI 0.84.1 - Multiple Vulnerabilities
exploitdb·2013-10-02·CVSS 6.8
CVE-2013-5696 [MEDIUM] GLPI 0.84.1 - Multiple Vulnerabilities
GLPI 0.84.1 - Multiple Vulnerabilities
---
Advisory ID: HTB23173
Product: GLPI
Vendor: INDEPNET
Vulnerable Version(s): 0.84.1 and probably prior
Tested Version: 0.84.1
Advisory Publication: September 11, 2013 [without technical details]
Vendor Notification: September 11, 2013
Vendor Patch: September 12, 2013
Public Disclosure: October 2, 2013
Vulnerability Type: Improper Access Control [CWE-284],Code Injection [CWE-94]
CVE Reference: CVE-2013-5696
Risk Level: Critical
CVSSv2 Base Scores: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P), 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in GLPI
Exploit-DB
GLPI - 'install.php' Remote Command Execution (Metasploit)
exploitdb·2013-09-23
CVE-2013-5696 GLPI - 'install.php' Remote Command Execution (Metasploit)
GLPI - 'install.php' Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'GLPI install.php Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
GLPI 'install.php' script. Users should use this exploit at his own risk,
since it's going to overwrite database configuration.
},
'Author' =>
[
'Tristan Leiter ', # Navixia Research Team
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-5696' ],
[ 'URL', 'https://www.navixia.com/blog/entry/navixia-finds-cri
Metasploit
GLPI install.php Remote Command Execution
metasploit
GLPI install.php Remote Command Execution
GLPI install.php Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the GLPI 'install.php' script. This module is set to ManualRanking due to this module overwriting the target database configuration, which may introduce target instability.
Bugzilla
CVE-2013-5696 glpi: multiple vulnerabilities [epel-all]
bugzilla·2013-09-23·CVSS 6.8
CVE-2013-5696 [MEDIUM] CVE-2013-5696 glpi: multiple vulnerabilities [epel-all]
CVE-2013-5696 glpi: multiple vulnerabilities [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple sup
Bugzilla
CVE-2013-5696 glpi: multiple vulnerabilities
bugzilla·2013-09-23·CVSS 6.8
CVE-2013-5696 [MEDIUM] CVE-2013-5696 glpi: multiple vulnerabilities
CVE-2013-5696 glpi: multiple vulnerabilities
GLPI, a web application designed to manage IT infrastructure, was found to have multiple vulnerabilities. An attacker could use this vulnerability to conduct SQL injection attacks or even execute arbitrary php code with the priviliges of the user running the application.
The flaw is that glpi isn't configured properly, so install.php could be executed even after the installation is completed, so the attacker could insert or edit certain commands in install.php to perform the exploits.
References:
https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerabilities-in-glpi-cve-2013-5696.html
https://forge.indepnet.net/issues/4480
https://forge.indepnet.net/projects/glpi/repository/revisions/21753/diff/branches/0.84-bugfixes/inc/central.cla
Bugzilla
CVE-2013-5696 glpi: multiple vulnerabilities [fedora-all]
bugzilla·2013-09-23·CVSS 6.8
CVE-2013-5696 [MEDIUM] CVE-2013-5696 glpi: multiple vulnerabilities [fedora-all]
CVE-2013-5696 glpi: multiple vulnerabilities [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple suppor
Greynoiseio
NoiseLetter January 2024
blogs_greynoiseio
NoiseLetter January 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://www.glpi-project.org/spip.php?page=annonce&id_breve=308https://forge.indepnet.net/issues/4480https://forge.indepnet.net/projects/glpi/repository/revisions/21753https://forge.indepnet.net/projects/glpi/repository/revisions/21753/diff/branches/0.84-bugfixes/inc/central.class.phphttps://www.navixia.com/blog/entry/navixia-finds-critical-vulnerabilities-in-glpi-cve-2013-5696.htmlhttp://www.glpi-project.org/spip.php?page=annonce&id_breve=308https://forge.indepnet.net/issues/4480https://forge.indepnet.net/projects/glpi/repository/revisions/21753https://forge.indepnet.net/projects/glpi/repository/revisions/21753/diff/branches/0.84-bugfixes/inc/central.class.phphttps://www.navixia.com/blog/entry/navixia-finds-critical-vulnerabilities-in-glpi-cve-2013-5696.html
2013-09-23
Published