Improper Input Validation on emails links in glpi-project/glpi

Valid

Reported on

Oct 28th 2022


Description

In GLPI, users can add their own email addresses to their accounts. However, there is a lack of validation which allows users to add new fields into the mailto: link.

Email links support multiple parameters like :

  • cc
  • bcc
  • body
  • subject
  • multiple emails (email1, email2, ...)
  • ...

Example : mailto:someone@somedomain.tld?subject=Hello&body=Hello%20World

Proof of Concept

Whatever account can set his email address in his settings

If someone click on the hyperlink, it can be tricked to send an email to someone else

Social engineering

It is hard to notice that the staff email on the screenshot is linked to another domain.

I used jean@glpi-project.org?cc=staff@gIpi-project.org, glpi-project.org != gIpi-project.org.

Impact

A victim could send sensitive information to an attacker via email.

References

We are processing your report and will contact the glpi-project/glpi team within 24 hours. a month ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back a month ago
Cédric Anne validated this vulnerability a month ago
xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Cédric Anne marked this as fixed in 10.0.4 with commit 7dc87c a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Cédric Anne published this vulnerability a month ago
to join this conversation