CVE-2019-10231
📋 TL;DR
CVE-2019-10231 is a PHP type juggling vulnerability in Teclib GLPI's authentication mechanism that allows attackers to bypass authentication without valid credentials. This affects all GLPI installations before version 9.4.1.1. Attackers can gain unauthorized access to the GLPI web interface with administrative privileges.
💻 Affected Systems
- Teclib GLPI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the GLPI system, allowing attackers to access sensitive IT asset data, modify configurations, execute arbitrary code through subsequent vulnerabilities, and potentially pivot to other systems.
Likely Case
Unauthorized access to GLPI with administrative privileges, leading to data theft, system configuration changes, and potential privilege escalation on the underlying server.
If Mitigated
Limited impact if proper network segmentation, strong authentication mechanisms, and monitoring are in place to detect unauthorized access attempts.
🎯 Exploit Status
The vulnerability is in the authentication function itself, allowing unauthenticated attackers to bypass login. Exploitation requires sending specially crafted requests to the login endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.1.1
Vendor Advisory: https://github.com/glpi-project/glpi/releases/tag/9.4.1.1
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download GLPI version 9.4.1.1 or later from the official repository. 3. Replace the affected files, particularly inc/auth.class.php. 4. Verify the installation works correctly. 5. Test authentication functionality.
🔧 Temporary Workarounds
Authentication Hardening
allImplement additional authentication layers such as IP whitelisting, web application firewall rules, or multi-factor authentication.
🧯 If You Can't Patch
- Implement network-level controls to restrict access to GLPI interface
- Deploy a web application firewall with rules to detect authentication bypass attempts
🔍 How to Verify
Check if Vulnerable:
Check GLPI version in the administration interface or by examining the CHANGELOG.md file. Versions before 9.4.1.1 are vulnerable.Check Version:
php front/version.php or check the GLPI administration dashboardVerify Fix Applied:
Verify the version is 9.4.1.1 or later and test authentication with various input types to ensure proper type checking.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from same IP
- Unusual authentication patterns
- Access from unexpected user accounts
Network Indicators:
- HTTP POST requests to login endpoint with unusual parameters
- Rapid authentication attempts
SIEM Query:
source="glpi_access.log" AND (uri_path="/index.php" OR uri_path="/front/login.php") AND status=200 AND user_agent NOT IN ["normal_user_agents"]