SQL Injection - SQL as a service (No-auth) in ericferon/glpi-archimap

Valid

Reported on

Oct 27th 2022


Description

The GLPI's plugin named glpi-archimapcontains an ajax route named getconfig.php which allows a user to retrieve the plugin configuration.

However, this route is accessible by everyone because there is no authentication check. Moreover, the attacker can inject his own SQL queries and get directly the result of these queries in the HTTP response!

Proof of Concept

Plugin installation via Marketplace

You can install the plugin glpi-archimap using the marketplace.

Plugin installation via Marketplace

SQL Injection

As you can see below, the plugin builds SQL queries with user input concatenation :

$tables = file_get_contents('php://input');
if (isset($tables)) {
    $tables = json_decode($tables);
} else {
    die("No 'tables' contained in body of POST request 'getconfig'");
}
$datas = [];
foreach($tables as $key => $tablecolumn) {
    $table = $tablecolumn->table;
    $columns = explode(",", str_replace(' ', '', $tablecolumn->column)); // suppress spaces and split on comma
    $where = ($tablecolumn->where ? " WHERE ".$tablecolumn->where : "");
    if (!in_array(strtolower($table), $forbidden_tables)) {
        $query = "SELECT `".implode("`, `", $columns)."` FROM glpi_plugin_archimap_configs $where ORDER BY `".implode("`, `", $columns)."`";
# [...]

Data exfiltration

Extract GLPI usernames

Extract GLPI usernames

Extract GLPI passwords hash

Extract GLPI passwords hash

Impact

A non-authenticated attacker has the possibility to download the entire database of GLPI !!! Moreover, he could DDOS the GLPI instance by saturating the MySQL workers via mathematical queries.

References

We are processing your report and will contact the ericferon/glpi-archimap team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the ericferon/glpi-archimap team and are waiting to hear back a month ago
We have sent a follow up to the ericferon/glpi-archimap team. We will try again in 7 days. a month ago
ericferon validated this vulnerability a month ago
xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ericferon marked this as fixed in v3.2.13 with commit 53ecec a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ericferon published this vulnerability a month ago
to join this conversation