CVE-2022-34128
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary PHP code on GLPI servers running vulnerable versions of the Cartography (positions) plugin. Attackers can exploit this by sending specially crafted POST data to the upload.php endpoint, potentially gaining full control of affected systems. Organizations using GLPI with the positions plugin before version 6.0.1 are affected.
💻 Affected Systems
- GLPI Cartography (positions) plugin
📦 What is this software?
Positions by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, lateral movement within the network, ransomware deployment, or complete system takeover.
Likely Case
Remote code execution allowing attackers to install backdoors, exfiltrate sensitive data, or use the server as a pivot point for further attacks.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.1
Vendor Advisory: https://github.com/InfotelGLPI/positions/security/advisories/GHSA-947x-g9g9-rcmx
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download positions plugin version 6.0.1 or later from the official repository. 3. Replace the existing positions plugin directory with the updated version. 4. Clear GLPI cache if applicable.
🔧 Temporary Workarounds
Disable vulnerable endpoint
linuxTemporarily block access to the vulnerable upload.php file
mv /path/to/glpi/plugins/positions/front/upload.php /path/to/glpi/plugins/positions/front/upload.php.disabled
Web server access control
allConfigure web server to deny access to upload.php
# Apache: Add to .htaccess
<Files "upload.php">
Order allow,deny
Deny from all
</Files>
# Nginx: Add to server block
location ~ /plugins/positions/front/upload\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Immediately isolate affected systems from internet access
- Implement strict network segmentation and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if positions plugin version is below 6.0.1 by examining the plugin directory or GLPI administration interface.Check Version:
grep -r "plugin_version" /path/to/glpi/plugins/positions/ || cat /path/to/glpi/plugins/positions/plugin.xml | grep versionVerify Fix Applied:
Confirm positions plugin version is 6.0.1 or higher and verify upload.php file has been updated or removed.📡 Detection & Monitoring
Log Indicators:
- POST requests to /plugins/positions/front/upload.php with PHP code patterns
- Unusual file uploads or system command execution in web logs
Network Indicators:
- HTTP POST requests to upload.php endpoint with suspicious payloads
- Outbound connections from GLPI server to unknown IPs
SIEM Query:
source="web_logs" AND uri="/plugins/positions/front/upload.php" AND method="POST" AND (body="<?php" OR body="eval(" OR body="system(")🔗 References
- https://github.com/InfotelGLPI/positions/releases/tag/6.0.1
- https://github.com/InfotelGLPI/positions/security/advisories/GHSA-947x-g9g9-rcmx
- https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
- https://github.com/InfotelGLPI/positions/releases/tag/6.0.1
- https://github.com/InfotelGLPI/positions/security/advisories/GHSA-947x-g9g9-rcmx
- https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
- https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
