Use of GET Request Method With Sensitive Query Strings in glpi-project/glpi

Valid

Reported on

Oct 27th 2021

Description

We can have list of user of Emplyes in GLPI plateform

Proof of Concept

Here for example wa are as Intervenant Role.

Steps to reproduce :

Go to Assistance-->Planning 2.In the left of the menu in front of Plannings section, clich on Plus + Button
In the Actor Field List we select User
In the User Field List we select our name ( The person who is connected). It's only this user who is connected and we can export CSV file for exampla
We intercept with burpsuite and we change the user_id by another value. We can do this multiple time and have list of multiple users
In the Plannings section on the left menu we can see list of users.

# Impact
Sensitive information about usernames, we can use them and brute force the password to have access.

We have contacted a member of the glpi-project/glpi team and are waiting to hear back 2 years ago

We have sent a follow up to the glpi-project/glpi team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the glpi-project/glpi team. We will try again in 10 days. 2 years ago

A glpi-project/glpi maintainer validated this vulnerability 2 years ago

laddada nadjet has been awarded the disclosure bounty

The fix bounty is now up for grabs

A glpi-project/glpi maintainer

commented 2 years ago

Maintainer

See https://github.com/glpi-project/glpi/security/advisories/GHSA-r8gq-xf5w-5crh

laddada nadjet

commented 2 years ago

Researcher

Hi Is there a Bounty or CVE for this Vulnerability? Thank you

A glpi-project/glpi maintainer

commented 2 years ago

Maintainer

I finally closed the advisory with this explanation :

After investigation, we don't retrieve more users than we can have in any user dropdown. As the front/planningcsv.php check concordance of entities, the forcebrut retrieval doesn't differ.

If you have access to a user dropdown (like requester in ticket or user in a computer), you'll have the same list of users (with more ease by the way).

I will just remove the bypass of right in the top of file as csv export should not be possible offline. But this last doesn't need an advisory.

François Legastelois marked this as fixed in 9.5.7 with commit 384807 a year ago

François Legastelois has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the glpi-project/glpi team and are waiting to hear back 2 years ago

We have sent a follow up to the glpi-project/glpi team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the glpi-project/glpi team. We will try again in 10 days. 2 years ago

A glpi-project/glpi maintainer validated this vulnerability 2 years ago

laddada nadjet has been awarded the disclosure bounty

The fix bounty is now up for grabs

A glpi-project/glpi maintainer

commented 2 years ago

Maintainer

See https://github.com/glpi-project/glpi/security/advisories/GHSA-r8gq-xf5w-5crh

laddada nadjet

commented 2 years ago

Researcher

Hi Is there a Bounty or CVE for this Vulnerability? Thank you

A glpi-project/glpi maintainer

commented 2 years ago

Maintainer

I finally closed the advisory with this explanation :

After investigation, we don't retrieve more users than we can have in any user dropdown. As the front/planningcsv.php check concordance of entities, the forcebrut retrieval doesn't differ.

If you have access to a user dropdown (like requester in ticket or user in a computer), you'll have the same list of users (with more ease by the way).

I will just remove the bypass of right in the top of file as csv export should not be possible offline. But this last doesn't need an advisory.

François Legastelois marked this as fixed in 9.5.7 with commit 384807 a year ago

François Legastelois has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation