GLPI < 9.5.5 Stored Cross-Site Scripting (XSS)

Stealing Privileged Accounts

What's GLPI?

GLPI is an incredible ITSM software tool that helps you plan and manage IT changes in an easy way, solve problems efficiently when they emerge and allow you to gain legitimate control over your company’s IT budget, and expenses.

Many companies use GLPI to manage their clients and tickets. GLPI has different kind of users. To manage plugins the user needs to has a tech role. So if you steal this kind of account you can go to administration page and dump the whole database to clone in your local lab.

The Vector

During the plugin installation process, GLPI reads the setup.php file from plugins to show informations as author, plugin version, license and etc...

The problem here is simple, they do not validate and sanitize these informations before render to the user. Trust the user input is never a good idea.

GLPI loads the plugin using the setup.php file, as we can see in this piece of code.

Fig.1 - Load Plugins
Fig.2 - The setup.php file from plugins.

Plugins need to have a function called plugin_version_NAMEOFPLUGIN(). This function will return the array that contains all informations as version, author, license, homepage and the min GLPI version. We saw this function at Fig.2.

Fig.3 - Calling GetInfo()
Fig.4 - Getting Informations

To display these informations to the user, Glpi uses /front/plugin.php that calls view.class.php. As the following image shows, there is no checking to escape html/javascript code. All information is concatened directly to HTML.

Fig.5 - Display

Here we can see the alert being executed.

Fig.6 - Alert executed