DIVD-2023-00016 - GLPI Remote Code Execution
|Case lead||Josha Beekman|
|Author||Finn van der Knaap en Josha Beekman|
|Recommendation||Update to the latest version|
|Workaround||Delete the vendor/htmlawed/htmlawed/htmLawedTest.php file, (be careful not to touch the htmLawed.php file which is legitimate).|
|Last modified||25 May 2023 22:15|
On September 14, 2022, a new 0-day vulnerability came out in GLPI and was posted online. GLPI is an open source IT asset management software which is widely used. The vulnerability involves a code injection in GLPI instances versions < 10.0.3 and < 9.5.9 which results in a remote code execution vulnerability, caused by an old version of the htmlawed library (under /vendor/htmlawed/htmlawed/) that still contains the htmLawedTest.php file with code injection vulnerability.
What you can do
- Consider upgrading to the latest version.
- Delete the vendor/htmlawed/htmlawed/htmLawedTest.php file (be careful not to touch the htmLawed.php file which is legitimate). Or prevent web access to the vendor/ folder by setting (in the case of Apache, for example) an adequate .htaccess.
What we are doing
- DIVD is currently pin-pointing, all the vulnerable GLPI servers.
- DIVD is investigating if we can start informing the owners of vulnerable GLPI servers.
- DIVD started scanning for vulnerable instances.
10 Dec 2022-
16 Dec 2022
16 Dec 2022-
17 Dec 2022
|Nuclei template made|
19 Dec 2022-
04 Mar 2023
|Started scanning for vulnerable instances|
|16 Mar 2023||First mail round sent|
|16 Mar 2023||Case file posted|
|09 May 2023||Second scan for vulnerable instances|
|10 May 2023||Second mail round|
|25 May 2023||Case closed|