Use of GET Request Method With Sensitive Query Strings in glpi-project/glpi
Oct 27th 2021
We can have list of user of Emplyes in GLPI plateform
Proof of Concept
Here for example wa are as Intervenant Role.
Steps to reproduce :
- Go to Assistance-->Planning 2.In the left of the menu in front of Plannings section, clich on Plus + Button
- In the Actor Field List we select User
- In the User Field List we select our name ( The person who is connected). It's only this user who is connected and we can export CSV file for exampla
- We intercept with burpsuite and we change the user_id by another value. We can do this multiple time and have list of multiple users
- In the Plannings section on the left menu we can see list of users.
# Impact Sensitive information about usernames, we can use them and brute force the password to have access.
Hi Is there a Bounty or CVE for this Vulnerability? Thank you
I finally closed the advisory with this explanation :
After investigation, we don't retrieve more users than we can have in any user dropdown. As the front/planningcsv.php check concordance of entities, the forcebrut retrieval doesn't differ.
If you have access to a user dropdown (like requester in ticket or user in a computer), you'll have the same list of users (with more ease by the way).
I will just remove the bypass of right in the top of file as csv export should not be possible offline. But this last doesn't need an advisory.