Bug 22851

Summary: glpi new security issue CVE-2018-7563
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: guillomovitch, herman.viaene, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: glpi-9.2.1-1.mga7.src.rpm CVE:
Status comment: Patch available from Fedora

Description David Walser 2018-03-31 22:20:37 CEST 
Fedora has issued an advisory on March 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7TJDOAMV55BUNNNCAGCK5URQZEMUH53/

Mageia 6 is also affected.
David Walser 2018-03-31 22:20:43 CEST

Whiteboard: (none) => MGA6TOO

David Walser 2018-05-04 08:33:32 CEST

Status comment: (none) => Patch available from Fedora

Comment 1 David Walser 2018-06-03 21:18:44 CEST 
Fixed in glpi-9.1.6-2.1.mga6 by Guillaume on May 5.

Assignee: guillomovitch => qa-bugs
CC: (none) => guillomovitch
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 2 Herman Viaene 2018-06-04 14:23:31 CEST 
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
After making sure httpd and mysqld run, pointing to http://localhost/glpi got the installer going. Using the default names as per bug 21331 Comment 4, the whole installation went OK, and i was able to login as user "normal" and see my (empty) planning.
Did not go any further as this seems really system admin terrain.
OK for me, unless some real sysadmin wants to have a go at it.
And BTW, it does not seem to break anything else.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 3 claire robinson 2018-06-04 15:15:05 CEST 
Validating. Advisory needed or this one please David

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2018-06-04 18:46:55 CEST 
Advisory:
========================

Updated glpi package fixes security vulnerability:

An issue was discovered in GLPI through 9.2.1. The application is affected by
XSS in the query string to front/preference.php. An attacker is able to create a
malicious URL that, if opened by an authenticated user with debug privilege,
will execute JavaScript code supplied by the attacker. The attacker-supplied
code can perform a wide variety of actions, such as stealing the victim's
session token or login credentials, performing arbitrary actions on the victim's
behalf, and logging their keystrokes (CVE-2018-7563).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7563
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7TJDOAMV55BUNNNCAGCK5URQZEMUH53/
Comment 5 claire robinson 2018-06-05 17:47:24 CEST 
Thanks David

Keywords: (none) => advisory

Comment 6 Mageia Robot 2018-06-05 23:43:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0272.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED