CVE-2022-34126
📋 TL;DR
CVE-2022-34126 is a directory traversal vulnerability in the Activity plugin for GLPI that allows attackers to read local files on the server. This affects GLPI installations using Activity plugin versions before 3.1.1. Attackers can exploit this via the file parameter in front/cra.send.php to access sensitive system files.
💻 Affected Systems
- GLPI Activity Plugin
📦 What is this software?
Activity by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like configuration files, SSH keys, or database credentials, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized reading of sensitive files containing configuration data, credentials, or other confidential information stored on the server.
If Mitigated
Limited impact with proper file permissions and web server hardening, though sensitive files could still be exposed if accessible to the web server user.
🎯 Exploit Status
Simple directory traversal attack with publicly available proof-of-concept. No authentication required to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.1
Vendor Advisory: https://github.com/InfotelGLPI/activity/security/advisories/GHSA-jcmw-hpgh-357p
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download Activity plugin version 3.1.1 from GitHub releases. 3. Replace the existing Activity plugin directory with the new version. 4. Clear GLPI cache if applicable.
🔧 Temporary Workarounds
File Access Restriction
allRestrict access to front/cra.send.php file via web server configuration
# Apache: Add to .htaccess or virtual host config
<Files "cra.send.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /front/cra\.send\.php$ {
deny all;
return 403;
}
Input Validation
allAdd input validation to sanitize file parameter before processing
# Example PHP input validation
$file = $_GET['file'];
if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
die('Invalid file parameter');
}
🧯 If You Can't Patch
- Remove or disable the Activity plugin entirely from GLPI installation
- Implement strict web application firewall (WAF) rules to block directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check if Activity plugin version is below 3.1.1 by examining the plugin directory or GLPI plugin management interface.Check Version:
# Check plugin version file
grep -r "version" /path/to/glpi/plugins/activity/activity.xml | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
Verify Activity plugin version shows 3.1.1 or higher in GLPI plugin management or by checking the plugin's version file.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /plugins/activity/front/cra.send.php with file parameter containing '../' or '..\\' patterns
- Unusual file access patterns from web server process
Network Indicators:
- HTTP GET requests with file parameter containing directory traversal sequences
- Unusual outbound traffic following successful exploitation
SIEM Query:
source="web_access_logs" AND uri_path="/plugins/activity/front/cra.send.php" AND (query_string="*..%2f*" OR query_string="*..%5c*")🔗 References
- https://github.com/InfotelGLPI/activity/releases/tag/3.1.1
- https://github.com/InfotelGLPI/activity/security/advisories/GHSA-jcmw-hpgh-357p
- https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
- https://github.com/InfotelGLPI/activity/releases/tag/3.1.1
- https://github.com/InfotelGLPI/activity/security/advisories/GHSA-jcmw-hpgh-357p
- https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
- https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
