Gestionnaire Libre de Parc Informatique (GLPI) is a popular open-source IT Asset Management and ITIL Service Desk software designed to help organizations maintain and manage their software and hardware inventory. It is a widely used solution in many organizations, providing IT administrators with license tracking and software auditing features.

Recently, a security vulnerability (CVE-2022-39234) has been discovered in GLPI versions prior to 10..4, which allows deleted or deactivated user accounts to continue accessing the system as long as they possess a valid cookie.

In this article, we will take a closer look at the details of this exploit, discuss how it has been addressed in the patched version, and provide a code snippet for managing user authentication in GLPI.

Exploit Details

The vulnerability lies in the way GLPI handles user authentication, particularly when users are deleted or deactivated in the system. Since the session management relies on a user's cookie, a deleted or deactivated account with a valid cookie can continue to access restricted areas within GLPI until the cookie expires.

The issue involves the "initSession" function in the "Session.class.php" file, where the user's status and expiration date are not checked during the authentication process.

public static function initSession($user = null) {
   ...
   $session_life_time = max(30, $CFG_GLPI["session_lifetime"]);

   if ($cookie !== null
       && ... ) {
      ...
      return true;
   }
}

In order to fix this issue, the GLPI development team has introduced a patch in version 10..4, which adds additional checks for the user's status and expiration date during the authentication process.

Here's the updated code snippet (after the patch)

public static function initSession($user = null) {
   ...
   $session_life_time = max(30, $CFG_GLPI["session_lifetime"]);

   if ($cookie !== null
       && ... ) {
      // Check for user account status and expiration date
      if ($user->fields['is_deleted']
          || $user->fields['is_active'] != 1
          || !is_null($user->fields['expdate'])
          && $user->fields['expdate'] < date('Y-m-d')) {
         return false;
      }
      ...
      return true;
   }
}

Reference

The official GLPI repository on GitHub provides detailed information on this vulnerability and the patch, released in version 10..4. The related pull request can be found at the following link:

https://github.com/glpi-project/glpi/releases/tag/10..4

Recommendation

If you are using GLPI, it is strongly recommended that you upgrade to version 10..4 or later, as this issue has been addressed in the latest release. It is also essential to ensure that your software and infrastructure are kept up-to-date with the latest security patches to minimize potential risks.

There are currently no known workarounds for this vulnerability. Hence, upgrading your GLPI installation to the latest version is the best course of action.

Conclusion

Understanding the criticality of this vulnerability and its potential implications to your organization is paramount. Staying informed and up-to-date on security advisories such as CVE-2022-39234 can help you safeguard your data and secure your IT environment.

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/04/2022 02:54:00 UTC