Impact

SQL injection for all usage of "Clone" feature.

As an example we based our test on "Rules", but I think it's the same for all object who have "string" field.

• Create a new "Business rules for tickets"
• Add this value in description field (adapt if you don't have "glpi" user in your DB):

', '', 0, (SELECT password FROM glpi_users WHERE name = 'glpi'), 1, '', 1, null, null); #

• Save your new rule
• Use "Clone" feature in the massive actions of this new rule
• The clone is done correctly, the "glpi" user password is injected in the comment field of cloned rule

Patches

See applied patch: a4baa64

Workarounds

Apply patch.

References

Since #6684

For more information

If you have any questions or comments about this advisory, please email us at glpi-security at ow2.org