CVE-2022-39181 - GLPI Reports Plugin for GLPI Reflected Cross-Site-Scripting (RXSS) Vulnerability

The GLPI (Gestionnaire Libre de Parc Informatique) is a free and open-source IT service management software that allows users to manage inventory, asset tracking, and IT support tasks. One of its main features is the ability to create and generate various reports using the Reports plugin. A security vulnerability has been discovered in this plugin, which allows an attacker to perform Reflected Cross-Site Scripting (RXSS) attacks.

What is Reflected Cross-Site Scripting (RXSS)?
Reflected Cross-Site Scripting (RXSS) is a type of web application vulnerability where an attacker is able to inject malicious code into a vulnerable website that is then executed by the victim's browser. This is done by including the malicious content as a parameter in a URL that is posted publicly or emailed directly to the victim. As the name suggests, the malicious content is reflected back to the user from the vulnerable web application, causing the victim's browser to execute the attacker's code.

CVE-2022-39181: GLPI Reports Plugin RXSS Vulnerability Details

A vulnerability has been reported in the GLPI Reports plugin, which allows an attacker to perform a Reflected Cross-Site Scripting (RXSS) attack. This vulnerability exists due to insufficient input validation of user-supplied data within the Reports plugin. An attacker can exploit this issue by crafting a malicious URL that contains the dangerous content and convincing a victim to click on it.

Here's a code snippet illustrating part of the vulnerable code from the GLPI Reports plugin

$objPHPExcel = new PHPExcel();
$sheet = $objPHPExcel->getActiveSheet()->getDefaultStyle()->getFont();
$sheet->setName($_REQUEST['report_name']);

In the code snippet above, the vulnerable parameter is 'report_name', which is directly fetched from the HTTP request using the $_REQUEST array without proper input validation. As a result, if an attacker injects a malicious script as the report name, the script will be executed by the victim's browser when the generated report is opened.

Exploit Proof of Concept

An attacker can craft a URL containing a malicious script that will execute upon opening the generated report. Here's an example of a malicious URL targeting the vulnerable GLPI Reports plugin:

http://vulnerable.example.com/plugins/reports/front/report.export.php?report_name=<script>alert("XSS");</script>;

When a victim clicks on this URL, the <script>alert("XSS");</script> portion will be executed by the browser, and an alert window displaying the text "XSS" will appear.

Mitigation and Recommendations

To protect against this vulnerability, it is strongly recommended that users of the GLPI Reports plugin update to the latest version, which contains necessary security patches. Additionally, proper input validation should be implemented to prevent the injection of malicious content into web applications. To further enhance security, implementing Content Security Policy (CSP) is recommended, which helps prevent the execution of unauthorized scripts by the web browser.

Original References

- GLPI Project: https://glpi-project.org/
- Reports Plugin: https://forge.glpi-project.org/projects/reports
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39181

Timeline

Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/23/2022 16:12:00 UTC