DIVD-2023-00016 - GLPI Remote Code Execution
| Our reference | DIVD-2023-00016 |
| Case lead | Josha Beekman |
| Author | Finn van der Knaap en Josha Beekman |
| Researcher(s) | |
| CVE(s) | |
| Product | GLPI |
| Versions |
|
| Recommendation | Update to the latest version |
| Workaround | Delete the vendor/htmlawed/htmlawed/htmLawedTest.php file (be careful not to touch the htmLawed.php file which is legitimate). |
| Status | Open |
| Last modified | 15 Mar 2023 12:42 |
Summary
The case involves a code injection vulnerability in GLPI instances versions < 10.0.3 and < 9.5.9, caused by an old version of the htmlawed library (under /vendor/htmlawed/htmlawed/) that still contains the htmLawedTest.php file with code injection vulnerability.
What you can do
Update your instance or delete the vendor/htmlawed/htmlawed/htmLawedTest.php file (be careful not to touch the htmLawed.php file which is legitimate). Or prevent web access to the vendor/ folder by setting (in the case of Apache for example) an adequate .htaccess.
What we are doing
we are currently informing the vulnerable parties