In this deep-dive post, we’ll explore CVE-2022-34127, a security vulnerability discovered in the Managentities plugin for GLPI (versions before 4..2). We’ll break down the vulnerability, show code examples, link to original resources, and even highlight how an exploit could work—using plain, clear english.
What is GLPI and Managentities?
GLPI is a widely-used, open-source IT asset and service desk management platform. The Managentities plugin lets users manage different organizations within GLPI. Security flaws here can have big impacts on sensitive IT environments.
About CVE-2022-34127
This vulnerability, reported in 2022, allows attackers to read any file on the server, if they can access GLPI with the vulnerable plugin installed. It’s a classic *directory traversal* flaw—attacker-supplied input tricking the application into reading files outside of the intended directory structure.
Vulnerable versions:
Managentities plugin before 4..2
Vulnerable file and parameter:
inc/cri.class.php – specifically, a file parameter used within this script.
Original CVE details:
- CVE listing on NVD
- Security advisory by GLPI
How the Vulnerability Works
The issue comes from poor validation of a user-supplied parameter, which is used to read files. Instead of checking if the filename stays in a safe spot, the code trusts what is passed—even if it tries to go back up directories using ../ sequences (called “dot dot slash").
How does directory traversal work?
Let’s say the application needs to read a config file:
inc/cri.class.php?file=config.txt
But what if someone enters:
inc/cri.class.php?file=../../../../etc/passwd
If the code doesn’t check for this, it might read and display the system’s /etc/passwd file—a critical security problem!
Vulnerable Code Example
Here’s a simple code snippet based on public descriptions (not the real plugin code, but mimicking the logic):
<?php
// in 'inc/cri.class.php'
if (isset($_GET['file'])) {
$file = $_GET['file'];
$filepath = "files/" . $file; // Intends to only use files from 'files' directory
if (file_exists($filepath)) {
echo file_get_contents($filepath);
} else {
echo "File not found";
}
}
?>
The problem:
An attacker can supply file=../../../../etc/passwd, causing PHP to read from outside the ‘files’ directory.
Suppose the vulnerable plugin is running on
https://example-glpi.com/plugins/managentities/inc/cri.class.php?file=../../../../etc/passwd
If you browse to this URL, you might see the contents of /etc/passwd appear in the browser—a devastating information disclosure.
> Notice: This works *only* if GLPI is installed on a Linux server and directory traversal is not blocked.
A simple proof-of-concept (PoC) using *curl*
curl "https://victim-glpi.com/plugins/managentities/inc/cri.class.php?file=../../../../etc/passwd";
Or targeting Windows hosts
curl "https://victim-glpi.com/plugins/managentities/inc/cri.class.php?file=../../../../windows/win.ini";
This can also be tested in any browser by constructing the URLs as shown above.
What Can an Attacker Achieve?
- Read sensitive files (/etc/passwd, server configs, database credentials)
Fix and Mitigation
Upgrade Immediately:
Version 4..2 fixes the issue. Download the patched plugin here:
Managentities Plugin Releases
Defense tips:
Example of a safer approach
<?php
$allowed_files = ['config.txt', 'settings.ini'];
$file = $_GET['file'] ?? '';
if (in_array($file, $allowed_files)) {
echo file_get_contents("files/" . $file);
} else {
echo "File not allowed";
}
?>
References
- Official CVE entry at NIST
- Managentities plugin GitHub repo
- Security advisory & release notes (4..2)
Final Thoughts
Directory traversal bugs like CVE-2022-34127 are simple but dangerous. They highlight why input validation is so important, especially in plugins and add-ons written by third parties. If you use GLPI, double check your plugins—patch regularly, and never underestimate the security of even small extensions.
Timeline
Published on: 04/16/2023 03:15:00 UTC
Last modified on: 04/25/2023 18:43:00 UTC