CVE-2017-11474 in GLPI
Summary
by MITRE
GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/13/2022
The vulnerability CVE-2017-11474 represents a critical SQL injection flaw in the GLPI (Gestionnaire Libre de Parc Informatique) information management system. This vulnerability affects versions prior to 9.1.5.1 and resides within the computer_softwareversion.class.php file, specifically in the handling of the $crit variable. The flaw is particularly concerning as it can be exploited through the ajax/common.tabs.php endpoint, which is commonly used for dynamic content loading in web applications. This exploitation vector demonstrates how seemingly innocuous AJAX functionality can become a gateway for database compromise when proper input validation is absent.
The technical nature of this vulnerability stems from inadequate parameter sanitization within the GLPI application's software version tracking module. When the $crit variable is processed, the application fails to properly escape or validate user-supplied input before incorporating it into SQL query construction. This creates an environment where malicious actors can inject arbitrary SQL commands through carefully crafted input parameters. The vulnerability is classified under CWE-89 as SQL Injection, which is one of the most prevalent and dangerous web application security flaws. The attack surface is expanded by the fact that the exploitation occurs through an AJAX endpoint, which typically handles dynamic data requests and may be less scrutinized for security vulnerabilities compared to traditional form submissions.
The operational impact of this vulnerability is severe and multifaceted. An attacker who successfully exploits this SQL injection can potentially gain unauthorized access to the underlying database, extract sensitive information including user credentials, system configurations, and inventory data, or even modify or delete critical information. The vulnerability affects the integrity and confidentiality of the entire GLPI system, which is commonly used by organizations for IT asset management, help desk operations, and system monitoring. Organizations relying on GLPI for critical infrastructure management face significant risk of data breaches, service disruption, and potential compliance violations. The vulnerability's exposure through ajax/common.tabs.php means that even legitimate users interacting with the application's dynamic tabs could inadvertently trigger the attack, making detection and prevention more challenging.
Mitigation strategies for CVE-2017-11474 should prioritize immediate patching to version 9.1.5.1 or later, which contains the necessary fixes for the SQL injection vulnerability. Organizations should implement comprehensive input validation and parameterized queries throughout the application to prevent similar issues in the future. Network segmentation and access controls should be enforced to limit exposure of the affected AJAX endpoints. Regular security assessments including automated vulnerability scanning and manual penetration testing should be conducted to identify potential injection points. Additionally, implementing web application firewalls and database activity monitoring can provide additional layers of defense. The remediation process should also include reviewing and updating security policies to ensure proper input sanitization practices are maintained across all application components, aligning with industry standards such as those recommended by the OWASP Top Ten and NIST cybersecurity frameworks.