IDOR on save email configuration leads to account takeover in glpi-project/glpi
Feb 22nd 2023
An attacker with a low privileged account on the latest GLPI version could change other user´s email when saving his own user preferences. After that, if "Forgot password" is enabled via email, an attacker will be able to retrieve victim´s forgot password link to the modified email to complete the account takeover.
Proof of Concept
I´ve created a GLPI instance at https://services.glpi-network.com/login, with the latest version 10.0.6. There will be three users:
- Super admin - used to create victim and attacker users.
- victimUser : Victim that will suffer the attack
- attackerUser : evil attacker that will harm victim account.
At the beginning users on the admin configuration look like that:
Login with the attackerUser account (low privileged) and go to "My Settings" tab at profile options. In this case: https://bountyglpi.with18.glpi-network.cloud/front/preference.php
Save the profile and intercept the request with Burp:
Notice the fileds:
Content-Disposition: form-data; name="_default_email" 3 ------WebKitFormBoundaryitdBuCBRGWdtm7aA Content-Disposition: form-data; name="_useremails" firstname.lastname@example.org
Where the _default_email id = 3 is asociated to AttackerUser and _useremails value is set on the second field = email@example.com.
Modify both 3 with a 2, in order to modify user with id = 2 data, this will be the victimUser but it could be also done with id = 1, admin user.
Intercepted request will show like:
Attack has been done succesfully, an attackerUser has modified vicitmUser account. If forgot password by email is enabled, attacker could retrieve victim´s token to restore the account to the new email set on his account. This affects integrity, security and confidentiality of the application.
Screenshot from the admin dashboard with the users information, notice the Victim´s email:
An low privileged user, could modify other users (or administrators) associated emails to their accounts. If authentication is being made with email, victims won´t be able to login to their accounts. If "forgot password" is enabled, an attacker will be able to manipulate victim email and retrieve a token to modify the password having total control of the victim account. This vulnerabilty (IDOR) allows an attacker to manipulate other users email.
I confirm the security flaw.
Authentication does rely on this email list, so there is no impact on auhentication, as long as password has not been changed.
I changed impact on availability to
none. Indeed global availability of GLPI service is not impacted. However, score is still high with this change.
Hi Cédric! Checked, thank you for the quick response. I´ve never reported a security issue before through huntr.dev in order to make the world saffer ^^ and also to achieve a CVE, which steps should I follow? Thank you so much.
We do most of the work on Github.
Once we validate a security issue, we create an advisory on Github, then create a private fork to propose/validate a fix, and then we ask for Github to provide a CVE that we publish once new version is released.
I already created the security advisory draft on Github and credit you on it.
We will propose a fix soon (there is a bug on Github that prevents me to push a new branch).
Hi Cédric, thank you for the quick response. I’ve checked And approved the path on github. The CVE is request by you? Or should I do something at github? Thank you so much And sorry for all the questions Have a nice day!
We will request a CVE to Github soon. We did not yet define a release date for GLPI 10.0.7, but we will keep you in touch when the approximative release date will be defined.
Hi Cédric! Do you have a planned date for the relase for GLPI 10.0.7 and the associated CVE? Thank you so much for your time, Camilo
Release is planned for April 05.