DIVD-2023-00016 - GLPI Remote Code Execution
| Our reference | DIVD-2023-00016 |
| Case lead | Josha Beekman |
| Author | Finn van der Knaap en Josha Beekman |
| Researcher(s) | |
| CVE(s) | |
| Product | GLPI |
| Versions |
|
| Recommendation | Update to the latest version |
| Workaround | Delete the vendor/htmlawed/htmlawed/htmLawedTest.php file, (be careful not to touch the htmLawed.php file which is legitimate). |
| Status | Closed |
| Last modified | 25 May 2023 22:15 |
Summary
On September 14, 2022, a new 0-day vulnerability came out in GLPI and was posted online. GLPI is an open source IT asset management software which is widely used. The vulnerability involves a code injection in GLPI instances versions < 10.0.3 and < 9.5.9 which results in a remote code execution vulnerability, caused by an old version of the htmlawed library (under /vendor/htmlawed/htmlawed/) that still contains the htmLawedTest.php file with code injection vulnerability.
What you can do
- Consider upgrading to the latest version.
- Delete the vendor/htmlawed/htmlawed/htmLawedTest.php file (be careful not to touch the htmLawed.php file which is legitimate). Or prevent web access to the vendor/ folder by setting (in the case of Apache, for example) an adequate .htaccess.
What we are doing
- DIVD is currently pin-pointing, all the vulnerable GLPI servers.
- DIVD is investigating if we can start informing the owners of vulnerable GLPI servers.
- DIVD started scanning for vulnerable instances.
Timeline
| Date | Description |
|---|---|
|
10 Dec 2022- 16 Dec 2022 |
Started research |
|
16 Dec 2022- 17 Dec 2022 |
Nuclei template made |
|
19 Dec 2022- 04 Mar 2023 |
Started scanning for vulnerable instances |
| 16 Mar 2023 | First mail round sent |
| 16 Mar 2023 | Case file posted |
| 09 May 2023 | Second scan for vulnerable instances |
| 10 May 2023 | Second mail round |
| 25 May 2023 | Case closed |
gantt
title DIVD-2023-00016 - GLPI Remote Code Execution
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00016 - GLPI Remote Code Execution (196 days) :2022-11-10, 2023-05-25
section Events
Started research (6 days) : 2022-12-10, 2022-12-16
Nuclei template made (1 days) : 2022-12-16, 2022-12-17
Started scanning for vulnerable instances (75 days) : 2022-12-19, 2023-03-04
First mail round sent : milestone, 2023-03-16, 0d
Case file posted : milestone, 2023-03-16, 0d
Second scan for vulnerable instances : milestone, 2023-05-09, 0d
Second mail round : milestone, 2023-05-10, 0d
Case closed : milestone, 2023-05-25, 0d