$_GET values are escaped:
But in one place slashes are removed from
$query is multiline statement so we cannot control ORDER BY.
That’s the reason why we cannot use UNION statement.
But we can use subquery.
Proof of Concept:
Login (user type doesn’t matter) then:
glpi_groups must have at least one record in order to work.
This SQL will check if first password character user
ID=2 is “$”.
If yes, it will sleep 5 seconds.
- 28-11-2014: Discovered
- 28-11-2014: Vendor notified
- 11-12-2014: Version 0.85.1 released, issue resolved