Description

GLPI 10.0.8 and are affected by an SQL injection on the page ajax/dashboard.php

Proof of Concept

I can provide you the POC written in python3.5 (or higher). Just provide me a way to send it to you.

Tested under the following environment:

• Ubuntu 20.04
• GLPI 10.0.8 and 10.0.7
• Mysql 8.0.31

The vulnerability occurs because a user can add a dashboard with quote in its name (action "save_new_dashboard"). Then when the attacker save the item, the dashboard name result in SQL Injection (action "save_items").

Lowering the impact

The attacker needs the right to CREATE dashboard. (I don't really know, but this seems to be a high privilege)

The SQLInjection payload is limited to 100 chars, and is time based in most case.

By default no stack query allow.

Increasing the impact

In glpi <= 10.0.7 any user can exploit this vulnerability, cause everyone can add a dashboard (the exploit was designed for this version and adapted for 10.0.8 after).

If Sql errors are shown to the attacker, an attacker can exploit error based SQLInjection which is a lot faster.

The SQLInjection occurs in an 'UPDATE' statement, which can be abused in some cases.

Impact

This vulnerability allows an attacker to recover data from the database like password, email and other potential sensitive data.