SSRF in feeds in glpi-project/glpi
Oct 2nd 2022
By looking at this URL :
https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv, I understand that a SSRF was possible in the URL of the RSS feed, and in fact, this has been fix.
Howerver, I found a bypass to CVE-2022-36112.
Proof of Concept
To trigger the bug, setup a PHP server on a remote machine, and a file
index.php containing this code :
Then, on the server where glpi is running, put a listener on the port 4444.
On the RSS feed, put the URL "http://<your server>/index.php", and then hit enter.
You will see that, on port 4444, we receive this request :
user@vm:/var/www/glpi$ nc -lnvp 4444 Listening on 0.0.0.0 4444 Connection received on 127.0.0.1 59222 GET / HTTP/1.1 Host: localhost:4444 User-Agent: SimplePie/1.5.8 (Feed Parser; http://simplepie.org; Allow like Gecko) Build/20211224025350 Accept-Encoding: deflate, gzip, br Referer: http://localhost:4444/ Accept: application/atom+xml, application/rss+xml, application/rdf+xml;q=0.9, application/xml;q=0.8, text/xml;q=0.8, text/html;q=0.7, unknown/unknown;q=0.1, application/unknown;q=0.1, */*;q=0.1
This vulnerability can be used by remote attacker to discover the internal network of the machine running glpi.