CVE-2019-12530
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass authentication and access sensitive dashboard files in the stdonato Dashboard plugin for GLPI. It affects all users running vulnerable versions of the plugin through improper access control on multiple PHP files.
💻 Affected Systems
- stdonato Dashboard plugin for GLPI
📦 What is this software?
Glpi Dashboard by Glpi Dashboard Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file access, potential data exfiltration, and privilege escalation leading to full control of the GLPI instance.
Likely Case
Unauthenticated access to sensitive dashboard data, configuration files, and potentially other system information exposed through the vulnerable endpoints.
If Mitigated
Limited impact with proper network segmentation and authentication controls, though the vulnerability still exists at the application layer.
🎯 Exploit Status
The vulnerability is simple to exploit by directly accessing the vulnerable PHP files without authentication. Public proof-of-concept exists in the commit references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 3a89f0085a221d7ad76d1104df6df6c634bd7f14 and later versions
Vendor Advisory: https://github.com/stdonato/glpi-dashboard/commit/3a89f0085a221d7ad76d1104df6df6c634bd7f14
Restart Required: No
Instructions:
1. Update the stdonato Dashboard plugin to version after 0.9.7
2. Apply the fix from commit 3a89f0085a221d7ad76d1104df6df6c634bd7f14
3. Verify the fix by checking that authentication is required for df.php, issue.php, load.php, mem.php, traf.php, and uptime.php
🔧 Temporary Workarounds
Restrict access to vulnerable files
allUse web server configuration to block direct access to the vulnerable PHP files
# Apache: Add to .htaccess or virtual host config
<Files "df.php|issue.php|load.php|mem.php|traf.php|uptime.php">
Require all denied
</Files>
# Nginx: Add to server block
location ~ /(df|issue|load|mem|traf|uptime)\.php$ {
deny all;
}
Disable the plugin
linuxTemporarily disable the stdonato Dashboard plugin until patched
# Remove or rename the plugin directory
mv /path/to/glpi/plugins/dashboard /path/to/glpi/plugins/dashboard.disabled
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the GLPI instance
- Deploy a web application firewall (WAF) with rules to block unauthenticated access to the vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://your-glpi-instance/plugins/dashboard/front/sh/df.php without authentication. If it returns dashboard data, the system is vulnerable.Check Version:
Check the plugin version in GLPI admin interface or examine the plugin directory structure and filesVerify Fix Applied:
After patching, attempt the same unauthenticated access. You should receive an authentication prompt or access denied error.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access to /plugins/dashboard/front/sh/df.php, issue.php, load.php, mem.php, traf.php, or uptime.php
- Multiple failed authentication attempts followed by successful access to dashboard files
Network Indicators:
- Unusual traffic patterns to dashboard endpoints without preceding authentication requests
- External IP addresses accessing sensitive dashboard files
SIEM Query:
source="web_access_logs" AND (uri="/plugins/dashboard/front/sh/df.php" OR uri="/plugins/dashboard/front/sh/issue.php" OR uri="/plugins/dashboard/front/sh/load.php" OR uri="/plugins/dashboard/front/sh/mem.php" OR uri="/plugins/dashboard/front/sh/traf.php" OR uri="/plugins/dashboard/front/sh/uptime.php") AND NOT (status="401" OR status="403")