---
Modern IT departments rely on centralized ticket and asset management, making security issues in tools like GLPI a serious concern. In mid-2022, a significant vulnerability—CVE-2022-34126—was found in the Activity plugin for GLPI. Before you shrug and move on, here’s why you should care: this flaw lets attackers read any file on your server, as long as they know its path. Even worse, the exploit is shockingly simple.
In this post, you'll get a clear breakdown of this vulnerability, how it works, real exploit details, and what you can do if your system might be at risk.
What is GLPI and the Activity Plugin?
GLPI is a widely-used IT asset and service management system. It lets organizations track computers, handle service requests, and much more. Thousands of companies, schools, and governments rely on GLPI.
The Activity plugin tracks and logs business activities within the GLPI system. It’s a common add-on for organizations wanting more detailed information for audits or compliance.
The Vulnerability: Directory Traversal
At the core of CVE-2022-34126 is a classic and dangerous issue: directory traversal in front/cra.send.php.
The plugin did not properly sanitize input passed to a file parameter, allowing attackers to request sensitive files by crafting malicious URLs. In plain English: someone could trick the server into reading and showing the contents of any file it could access, like:
- /etc/passwd on Linux servers
- config/config_db.php for sensitive GLPI information
Activity plugin versions before 3.1.1
(Patched in 3.1.1 release notes)
Where’s the Problem?
The bug resides in:
front/cra.send.php
It takes a filename as input—but fails to check for dangerous patterns like ../ (dot-dot-slash), which are commonly used in path traversal.
Let’s say the Activity plugin exposes a page like this
https://glpi.example.com/plugins/activity/front/cra.send.php?file=myreport.log
But what happens if someone changes the file parameter?
https://glpi.example.com/plugins/activity/front/cra.send.php?file=../../../etc/passwd
Enter the system folder
- Read the requested file (like /etc/passwd)
Here’s a pared-down example inspired by what happens under the hood
<?php
// front/cra.send.php
$file = $_GET['file'] ?? '';
if (file_exists($file)) {
readfile($file);
}
?>
What's missing?
Any sanitization or check against directory traversal. No attempt to limit file access to a specific directory or deny suspicious patterns.
Proof-of-Concept (PoC) URL
https://glpi.example.com/plugins/activity/front/cra.send.php?file=../../../config/config_db.php
With this, the attacker can fetch sensitive database credentials.
PoC using curl
curl "https://glpi.example.com/plugins/activity/front/cra.send.php?file=../../../etc/passwd"
Result:
A dump of the /etc/passwd file in the terminal, showing user accounts on the server.
Read web server or application config files
If your GLPI server is open online or accessible from untrusted networks, this is critical.
Upgrade the Activity Plugin
The plugin authors fixed this in version 3.1.1.
- Download patch/update here
Never trust user input for file paths.
- Sanitize parameters to refuse any input containing .. or beginning with /.
// Only allow reading from a specific directory
$basename = basename($_GET['file'] ?? 'default.txt');
$safe_dir = '/var/www/html/glpi/files/';
References
- CVE-2022-34126 entry
- Original security advisory
- Activity plugin repo & changelog
- OWASP: Path Traversal
Final Thoughts
CVE-2022-34126 is a reminder that old bugs like path traversal can have new risks in widely-used tools. Make sure you’re running the latest plugin versions, review security advisories for your tools, and avoid exposing management systems to the open internet.
If you need to check your GLPI for this problem:
If it works, update ASAP and review server logs for possible exploitation.
Stay careful, and never assume the software you use gets these little details right—because attackers aren’t making that assumption.
*Feel free to share this guide or use it in your security awareness trainings.*
Timeline
Published on: 04/16/2023 03:15:00 UTC
Last modified on: 04/25/2023 18:52:00 UTC