GLPI, an acronym for Gestionnaire Libre de Parc Informatique, is a powerful, open-source asset and IT management software suite that helps businesses manage and track their IT resources efficiently. It is widely used for inventory tracking, asset management, software distribution, and helpdesk functions. It also provides robust reporting features and an easy-to-use web interface for managing IT assets.

Vulnerability - CVE-2022-39262

CVE-2022-39262 is a security vulnerability discovered in GLPI software affecting versions prior to 10..4. The vulnerability allows an adversary to execute their malicious code using the rich-text content functionality and steal authentication credentials from the software. This code injection vulnerability is due to improper sanitization of user-provided input.

Exploit Details

One of the GLPI functionalities permits administrators to create rich-text content displayed on the login page. This content can include hyperlinks, images, and various other HTML elements. An attacker with administrative access to the GLPI software can submit malicious code as the rich-text content. Consequently, when a GLPI user visits the login page, their browser renders the injected code leading to potential phishing attacks and stealing sensitive credentials like usernames and passwords.

An example of the malicious code an attacker can use as part of the rich-text content

<p>Hello,
 Please log in using your GLPI credentials: <a href="https://attacker-website.com/phishing-page"; target="_blank" rel="noopener noreferrer">Log in</a>.</p>

This code snippet creates a hyperlink in which users may inadvertently click, redirecting them to phishing websites that impersonate the legitimate login page and steal their sensitive information.

Prevention and Mitigation

The GLPI team has patched this vulnerability by validating and escaping the user-provided input in version 10..4. It is highly recommended to update your GLPI installation immediately to avoid the risks associated with this vulnerability. Additionally, administrators should also enforce strong access control policies to prevent unauthorized administrative access.

Backup your current GLPI installation and database.

2. Download the latest GLPI version (10..4) from the official website: https://glpi-project.org/downloads/

References

1. GLPI Official Website: https://glpi-project.org/
2. CVE-2022-39262 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39262
3. GLPI 10..4 Release Notes: https://github.com/glpi-project/glpi/releases/tag/10..4

To summarize, CVE-2022-39262 - a recently discovered security vulnerability in GLPI - allows an attacker to inject malicious code using the rich-text content feature. This vulnerability is a potent threat to businesses as it can lead to phishing attacks and credential theft. It is imperative to immediately update your GLPI installation to version 10..4 and implement secure access control to prevent unauthorized administrative access.

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 17:34:00 UTC