CVE-2013-2226 in GLPI
Summary
by MITRE
Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands via the (1) users_id_assign parameter to ajax/ticketassigninformation.php, (2) filename parameter to front/document.form.php, or (3) table parameter to ajax/comments.php.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/09/2025
The vulnerability identified as CVE-2013-2226 represents a critical SQL injection flaw affecting GLPI versions prior to 0.83.9. This vulnerability manifests across three distinct attack vectors within the application's web interface, each presenting unique pathways for malicious actors to exploit the underlying database system. The affected parameters include users_id_assign in the ticketassigninformation.php endpoint, filename in the document.form.php frontend handler, and table in the comments.php AJAX interface. These vulnerabilities fall under the common weakness enumeration CWE-89 which specifically addresses SQL injection vulnerabilities, and align with the ATT&CK technique T1190 for exploitation of vulnerabilities in web applications.
The technical exploitation of these SQL injection flaws allows remote attackers to execute arbitrary SQL commands against the backend database without authentication. When an attacker manipulates the users_id_assign parameter in the ajax/ticketassigninformation.php endpoint, they can inject malicious SQL code that bypasses normal authentication mechanisms and gains unauthorized access to database operations. Similarly, manipulation of the filename parameter in front/document.form.php enables attackers to inject SQL commands that can retrieve, modify, or delete sensitive data from the database. The table parameter in ajax/comments.php presents another attack surface where SQL injection can be achieved, potentially allowing full database compromise. These vulnerabilities are particularly dangerous because they occur in core application functions that handle user assignments, document management, and comment systems, all of which contain sensitive organizational data.
The operational impact of CVE-2013-2226 extends beyond simple data theft to encompass complete database compromise and potential system-wide infiltration. Attackers can leverage these vulnerabilities to extract user credentials, personal information, system configurations, and other sensitive organizational data stored within the GLPI database. The ability to execute arbitrary SQL commands means that attackers can not only read data but also modify or delete records, potentially causing system corruption or denial of service conditions. In enterprise environments where GLPI serves as a critical IT asset management system, this vulnerability could lead to significant operational disruption and compliance violations. The remote nature of the attack vectors means that exploitation can occur from anywhere on the internet without requiring physical access to the target network, making the vulnerability particularly attractive to cybercriminals.
Organizations affected by CVE-2013-2226 should prioritize immediate remediation through upgrading to GLPI version 0.83.9 or later, which contains the necessary patches to address these SQL injection vulnerabilities. Additionally, implementing proper input validation and parameterized queries in the affected application components would provide defense-in-depth measures against similar vulnerabilities. Network segmentation and firewall rules should be reviewed to limit access to the affected web interfaces, while intrusion detection systems should be configured to monitor for suspicious SQL injection patterns. Security auditing should include verification of all database interactions to ensure that proper sanitization occurs before any SQL commands are executed. The vulnerability demonstrates the critical importance of maintaining up-to-date software versions and implementing proper application security controls to prevent exploitation of known vulnerabilities that can lead to complete system compromise.