SQL Injection in glpi-project/glpi
Jul 8th 2023
GLPI 10.0.8 and are affected by an SQL injection on the page ajax/dashboard.php
Proof of Concept
I can provide you the POC written in python3.5 (or higher). Just provide me a way to send it to you.
Tested under the following environment:
- Ubuntu 20.04
- GLPI 10.0.8 and 10.0.7
- Mysql 8.0.31
The vulnerability occurs because a user can add a dashboard with quote in its name (action "save_new_dashboard"). Then when the attacker save the item, the dashboard name result in SQL Injection (action "save_items").
Lowering the impact
The attacker needs the right to CREATE dashboard. (I don't really know, but this seems to be a high privilege)
The SQLInjection payload is limited to 100 chars, and is time based in most case.
By default no stack query allow.
Increasing the impact
In glpi <= 10.0.7 any user can exploit this vulnerability, cause everyone can add a dashboard (the exploit was designed for this version and adapted for 10.0.8 after).
If Sql errors are shown to the attacker, an attacker can exploit error based SQLInjection which is a lot faster.
The SQLInjection occurs in an 'UPDATE' statement, which can be abused in some cases.
This vulnerability allows an attacker to recover data from the database like password, email and other potential sensitive data.