Use of GET Request Method With Sensitive Query Strings in glpi-project/glpi

Valid

Reported on

Oct 27th 2021


Description

We can have list of user of Emplyes in GLPI plateform

Proof of Concept

Here for example wa are as Intervenant Role.

Steps to reproduce :

  1. Go to Assistance-->Planning 2.In the left of the menu in front of Plannings section, clich on Plus + Button
  2. In the Actor Field List we select User
  3. In the User Field List we select our name ( The person who is connected). It's only this user who is connected and we can export CSV file for exampla
  4. We intercept with burpsuite and we change the user_id by another value. We can do this multiple time and have list of multiple users
  5. In the Plannings section on the left menu we can see list of users.
# Impact
Sensitive information about usernames, we can use them and brute force the password to have access.
We have contacted a member of the glpi-project/glpi team and are waiting to hear back 8 months ago
We have sent a follow up to the glpi-project/glpi team. We will try again in 7 days. 8 months ago
We have sent a second follow up to the glpi-project/glpi team. We will try again in 10 days. 8 months ago
glpi-project/glpi maintainer validated this vulnerability 8 months ago
laddada nadjet has been awarded the disclosure bounty
The fix bounty is now up for grabs
glpi-project/glpi maintainer
8 months ago

Maintainer


See https://github.com/glpi-project/glpi/security/advisories/GHSA-r8gq-xf5w-5crh

laddada nadjet
8 months ago

Researcher


Hi Is there a Bounty or CVE for this Vulnerability? Thank you

glpi-project/glpi maintainer
7 months ago

Maintainer


I finally closed the advisory with this explanation :

After investigation, we don't retrieve more users than we can have in any user dropdown. As the front/planningcsv.php check concordance of entities, the forcebrut retrieval doesn't differ.

If you have access to a user dropdown (like requester in ticket or user in a computer), you'll have the same list of users (with more ease by the way).

I will just remove the bypass of right in the top of file as csv export should not be possible offline. But this last doesn't need an advisory.

François Legastelois confirmed that a fix has been merged on 384807 24 days ago
François Legastelois has been awarded the fix bounty
to join this conversation