CVE-2023-42802
📋 TL;DR
This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized directories through unverified object instantiation. If exploited, this can lead to remote code execution on affected GLPI instances. All GLPI installations running versions 10.0.7 through 10.0.9 are vulnerable.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution, allowing attackers to execute arbitrary commands, steal data, install backdoors, or pivot to other systems.
Likely Case
Webshell deployment leading to data exfiltration, privilege escalation, and persistence within the GLPI environment.
If Mitigated
Limited impact with proper file permissions and web server hardening, potentially preventing file execution even if uploaded.
🎯 Exploit Status
The vulnerability allows unauthenticated file upload, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.10
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-rrh2-x4ch-pq3m
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download GLPI 10.0.10 from official repository. 3. Replace existing files with new version. 4. Run update script if database schema changed. 5. Verify installation works correctly.
🔧 Temporary Workarounds
Restrict write permissions
linuxRemove write access for web server user on /ajax and /front directories to prevent file uploads.
chmod -R 755 /path/to/glpi/ajax
chmod -R 755 /path/to/glpi/front
chown -R root:root /path/to/glpi/ajax /path/to/glpi/front
🧯 If You Can't Patch
- Implement strict network segmentation to isolate GLPI instances from untrusted networks
- Deploy web application firewall (WAF) with rules to block PHP file uploads to suspicious directories
🔍 How to Verify
Check if Vulnerable:
Check GLPI version in Administration > General > Information, or examine the GLPI source code for version markers.Check Version:
grep -r "define('GLPI_VERSION'" /path/to/glpi/inc/ 2>/dev/null || cat /path/to/glpi/inc/define.php | grep GLPI_VERSIONVerify Fix Applied:
Confirm version is 10.0.10 or later, and test that PHP files cannot be uploaded to /ajax or /front directories.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /ajax or /front directories
- Web server logs showing PHP execution attempts in non-standard locations
- GLPI audit logs showing unexpected file operations
Network Indicators:
- HTTP POST requests to GLPI endpoints with file uploads
- Unusual outbound connections from GLPI server
SIEM Query:
source="web_server_logs" AND (uri_path="/ajax/*" OR uri_path="/front/*") AND method="POST" AND content_type="multipart/form-data"