Bug 22851 - glpi new security issue CVE-2018-7563
Summary: glpi new security issue CVE-2018-7563
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-31 22:20 CEST by David Walser
Modified: 2018-06-05 23:43 CEST (History)
3 users (show)

See Also:
Source RPM: glpi-9.2.1-1.mga7.src.rpm
CVE:
Status comment: Patch available from Fedora

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-31 22:20:37 CEST 
Fedora has issued an advisory on March 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7TJDOAMV55BUNNNCAGCK5URQZEMUH53/

Mageia 6 is also affected.
David Walser 2018-03-31 22:20:43 CEST

Whiteboard: (none) => MGA6TOO

David Walser 2018-05-04 08:33:32 CEST

Status comment: (none) => Patch available from Fedora

Comment 1 David Walser 2018-06-03 21:18:44 CEST 
Fixed in glpi-9.1.6-2.1.mga6 by Guillaume on May 5.

Assignee: guillomovitch => qa-bugs
CC: (none) => guillomovitch
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 2 Herman Viaene 2018-06-04 14:23:31 CEST 
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
After making sure httpd and mysqld run, pointing to http://localhost/glpi got the installer going. Using the default names as per bug 21331 Comment 4, the whole installation went OK, and i was able to login as user "normal" and see my (empty) planning.
Did not go any further as this seems really system admin terrain.
OK for me, unless some real sysadmin wants to have a go at it.
And BTW, it does not seem to break anything else.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 3 claire robinson 2018-06-04 15:15:05 CEST 
Validating. Advisory needed or this one please David

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2018-06-04 18:46:55 CEST 
Advisory:
========================

Updated glpi package fixes security vulnerability:

An issue was discovered in GLPI through 9.2.1. The application is affected by
XSS in the query string to front/preference.php. An attacker is able to create a
malicious URL that, if opened by an authenticated user with debug privilege,
will execute JavaScript code supplied by the attacker. The attacker-supplied
code can perform a wide variety of actions, such as stealing the victim's
session token or login credentials, performing arbitrary actions on the victim's
behalf, and logging their keystrokes (CVE-2018-7563).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7563
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7TJDOAMV55BUNNNCAGCK5URQZEMUH53/
Comment 5 claire robinson 2018-06-05 17:47:24 CEST 
Thanks David

Keywords: (none) => advisory

Comment 6 Mageia Robot 2018-06-05 23:43:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0272.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.