You are not logged in.
- Topics: Active | Unanswered
Announcement
Download last stable version of GLPI - What can you do for GLPI ? : Contribute
Pages: 1
#1 2014-07-01 11:01:53
- skorpi
- Member
- Registered: 2013-12-31
- Posts: 3
[0.84.6] XSS on login page
We noted an XSS vulnerability on the login page of GLPI v0.84.6. E.g., following URL shows runs the embedded JS showing popup. Tested on IE 8 and Firefox 24.6.0
http://glpi_location/foo%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Offline
#2 2014-07-02 14:50:08
- MoYo
- GLPI - Lead
- From: Poitiers
- Registered: 2004-09-13
- Posts: 14,513
- Website
Re: [0.84.6] XSS on login page
Sorry I do not understand ?
Do you talk about the text that you could add on login page through the configuration ?
If yes, it is normal to permit to administrator to add custom text. The config is only available for the admin of your GLPI.
MoYo - Julien Dombre - Association INDEPNET
Contribute to GLPI : Support Contribute References Freshmeat
Offline
#3 2014-07-04 08:05:58
- skorpi
- Member
- Registered: 2013-12-31
- Posts: 3
Re: [0.84.6] XSS on login page
We investigated the issue a bit further and found out a rewrite condition on our HTTP server, forwarding every non-existing URL request under /glpi/ (e.g., /glpi/foo) to index.php. Without the rewrite condition, a HTTP 404 is returned.
With the rewrite condition enabled, due to how GLPI cleans up the URLs in order to find the globaldir (GLPI base URL), opened up potential for the reported XSS.
The globaldir is defined in inc/config.class.php by detectRootDoc function, currently as follows:
$globaldir = Html::cleanParametersURL($_SERVER['REQUEST_URI']);
$globaldir = preg_replace("/\/[0-9a-zA-Z\.\-\_]+\.php/","",$globaldir);We recommend substituting the previous two lines with the following:
$globaldir = dirname($_SERVER['PHP_SELF']);This would prevent the XSS even with the rewrite condition, and would be a simpler way of getting the info.
Offline
Pages: 1