[9.1.5] SQL injection in front/rulesengine.test.php #2476

AceSec · 2017-07-18T07:40:16Z

ji.xu@dbappsecurity.com.cn

I have send the detail of "SQL injection in front/rulesengine.test.php" to your email. Please check.

* ensure condition rule field is an integer; fix #2476 * ensure crit is an integer; fix #2475

AceSec · 2017-07-20T03:14:43Z

The CVE-ID of this vulnerability is CVE-2017-11475.

florian-eichelberger · 2017-08-29T14:09:21Z

As this CVE is incorrectly classified, please confirm that a working login is required to exploit the vulnerability listed under CVE-2017-11475 so NIST can use this information to update the CVSS Score.

orthagh · 2017-08-29T14:50:58Z

i confirm login is needed, see https://github.com/glpi-project/glpi/blob/9.1/bugfixes/front/rulesengine.test.php#L42

orthagh added the security label Jul 19, 2017

orthagh added a commit to orthagh/glpi that referenced this issue Jul 19, 2017

ensure condition rule field is an integer; fix glpi-project#2476

1a1e9e1

orthagh mentioned this issue Jul 19, 2017

S fixes #2481

Merged

orthagh closed this as completed in b734a85 Jul 19, 2017

orthagh added a commit that referenced this issue Jul 19, 2017

S fixes (#2481)

a6c453a

* ensure condition rule field is an integer; fix #2476 * ensure crit is an integer; fix #2475

orthagh added this to the 9.1.5.1 milestone Jul 19, 2017

[9.1.5] SQL injection in front/rulesengine.test.php #2476

[9.1.5] SQL injection in front/rulesengine.test.php #2476

AceSec commented Jul 18, 2017

AceSec commented Jul 20, 2017

florian-eichelberger commented Aug 29, 2017

orthagh commented Aug 29, 2017

[9.1.5] SQL injection in front/rulesengine.test.php #2476

[9.1.5] SQL injection in front/rulesengine.test.php #2476

Comments

AceSec commented Jul 18, 2017

ji.xu@dbappsecurity.com.cn

AceSec commented Jul 20, 2017

florian-eichelberger commented Aug 29, 2017

orthagh commented Aug 29, 2017