CVE-2023-42462
📋 TL;DR
CVE-2023-42462 is a path traversal vulnerability in GLPI's document upload functionality that allows attackers to delete arbitrary files on the server. This affects all GLPI installations running versions before 10.0.10. Attackers with access to the document upload feature can exploit this to delete critical system files.
💻 Affected Systems
- GLPI (Gestionnaire Libre de Parc Informatique)
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, configuration files, or application data leading to service disruption, data loss, or privilege escalation.
Likely Case
Application disruption through deletion of GLPI configuration files, uploaded documents, or database files, causing service outages and data loss.
If Mitigated
Limited impact to non-critical files if proper file permissions and access controls are implemented, though some data loss may still occur.
🎯 Exploit Status
Exploitation requires access to the document upload functionality. The vulnerability is a straightforward path traversal that can be exploited with basic HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.10
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-hm76-jh96-7j75
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download GLPI version 10.0.10 or later from the official repository. 3. Follow the GLPI upgrade documentation to update your installation. 4. Verify the upgrade was successful by checking the version in the GLPI interface.
🔧 Temporary Workarounds
Disable document upload functionality
allTemporarily disable the document upload feature in GLPI to prevent exploitation while planning the upgrade.
# Modify GLPI configuration or disable the feature through the interface if available
🧯 If You Can't Patch
- Implement strict file permissions to limit the impact of file deletion (e.g., run GLPI with minimal privileges, use read-only permissions for critical files)
- Monitor and audit file deletion activities on the GLPI server using file integrity monitoring tools
🔍 How to Verify
Check if Vulnerable:
Check your GLPI version in the application interface or by examining the GLPI installation files. Versions before 10.0.10 are vulnerable.Check Version:
# Check GLPI version via web interface or examine the inc/define.php file for version informationVerify Fix Applied:
After upgrading, verify the version shows 10.0.10 or later in the GLPI interface. Test the document upload functionality to ensure it works without allowing path traversal.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion patterns in system logs
- Multiple failed or suspicious document upload attempts in GLPI logs
- Error logs showing path traversal attempts
Network Indicators:
- HTTP requests to document upload endpoints with suspicious file paths containing '../' sequences
SIEM Query:
web_server_logs WHERE url CONTAINS '/front/document.send.php' AND (url CONTAINS '../' OR parameters CONTAINS '../')