Use of GET Request Method With Sensitive Query Strings in glpi-project/glpi


Reported on

Oct 27th 2021


We can have list of user of Emplyes in GLPI plateform

Proof of Concept

Here for example wa are as Intervenant Role.

Steps to reproduce :

  1. Go to Assistance-->Planning 2.In the left of the menu in front of Plannings section, clich on Plus + Button
  2. In the Actor Field List we select User
  3. In the User Field List we select our name ( The person who is connected). It's only this user who is connected and we can export CSV file for exampla
  4. We intercept with burpsuite and we change the user_id by another value. We can do this multiple time and have list of multiple users
  5. In the Plannings section on the left menu we can see list of users.
# Impact
Sensitive information about usernames, we can use them and brute force the password to have access.
We have contacted a member of the glpi-project/glpi team and are waiting to hear back 2 years ago
We have sent a follow up to the glpi-project/glpi team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the glpi-project/glpi team. We will try again in 10 days. 2 years ago
glpi-project/glpi maintainer validated this vulnerability 2 years ago
laddada nadjet has been awarded the disclosure bounty
The fix bounty is now up for grabs
glpi-project/glpi maintainer
2 years ago



laddada nadjet
2 years ago


Hi Is there a Bounty or CVE for this Vulnerability? Thank you

glpi-project/glpi maintainer
2 years ago


I finally closed the advisory with this explanation :

After investigation, we don't retrieve more users than we can have in any user dropdown. As the front/planningcsv.php check concordance of entities, the forcebrut retrieval doesn't differ.

If you have access to a user dropdown (like requester in ticket or user in a computer), you'll have the same list of users (with more ease by the way).

I will just remove the bypass of right in the top of file as csv export should not be possible offline. But this last doesn't need an advisory.

François Legastelois marked this as fixed in 9.5.7 with commit 384807 a year ago
François Legastelois has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation