SQL Injection - SQL as a service (No-auth) in ericferon/glpi-archimap


Reported on

Oct 27th 2022


The GLPI's plugin named glpi-archimapcontains an ajax route named getconfig.php which allows a user to retrieve the plugin configuration.

However, this route is accessible by everyone because there is no authentication check. Moreover, the attacker can inject his own SQL queries and get directly the result of these queries in the HTTP response!

Proof of Concept

Plugin installation via Marketplace

You can install the plugin glpi-archimap using the marketplace.

Plugin installation via Marketplace

SQL Injection

As you can see below, the plugin builds SQL queries with user input concatenation :

$tables = file_get_contents('php://input');
if (isset($tables)) {
    $tables = json_decode($tables);
} else {
    die("No 'tables' contained in body of POST request 'getconfig'");
$datas = [];
foreach($tables as $key => $tablecolumn) {
    $table = $tablecolumn->table;
    $columns = explode(",", str_replace(' ', '', $tablecolumn->column)); // suppress spaces and split on comma
    $where = ($tablecolumn->where ? " WHERE ".$tablecolumn->where : "");
    if (!in_array(strtolower($table), $forbidden_tables)) {
        $query = "SELECT `".implode("`, `", $columns)."` FROM glpi_plugin_archimap_configs $where ORDER BY `".implode("`, `", $columns)."`";
# [...]

Data exfiltration

Extract GLPI usernames

Extract GLPI usernames

Extract GLPI passwords hash

Extract GLPI passwords hash


A non-authenticated attacker has the possibility to download the entire database of GLPI !!! Moreover, he could DDOS the GLPI instance by saturating the MySQL workers via mathematical queries.


We are processing your report and will contact the ericferon/glpi-archimap team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the ericferon/glpi-archimap team and are waiting to hear back a year ago
We have sent a follow up to the ericferon/glpi-archimap team. We will try again in 4 days. a year ago
ericferon validated this vulnerability a year ago
xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ericferon marked this as fixed in v3.2.13 with commit 53ecec a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation