SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147271.html | vendor advisory |
| http://www.exploit-db.com/exploits/35528 | exploit |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147313.html | vendor advisory |
| http://www.mandriva.com/security/advisories?name=MDVSA-2015:167 | vendor advisory |
| http://security.szurek.pl/glpi-085-blind-sql-injection.html | exploit |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html | vendor advisory |
| http://secunia.com/advisories/61367 | third party advisory |
| http://advisories.mageia.org/MGASA-2015-0017.html | |
| http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en | patch vendor advisory |
| http://osvdb.org/show/osvdb/115957 | vdb entry |