CVE-2014-8360

Name	CVE-2014-8360
Description	Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
glpi	source	(unstable)	(unfixed)	unimportant

Notes

Only supported behind an authenticated HTTP zone
original bug: https://forge.indepnet.net/issues/5101
followup: https://forge.indepnet.net/issues/5113
appears to be a generic autoloading abuse; possibly with
some use of simplepie being the attack vector