CVE-2023-53943
📋 TL;DR
CVE-2023-53943 is a username enumeration vulnerability in GLPI's password recovery mechanism that allows attackers to determine valid user email addresses by analyzing response differences. This affects GLPI 9.5.7 installations, potentially enabling targeted phishing or brute-force attacks against identified accounts.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers build complete user directory, enabling targeted credential stuffing, phishing campaigns, or social engineering attacks against specific individuals.
Likely Case
Attackers validate email addresses for spam lists or targeted phishing, potentially leading to account compromise through follow-up attacks.
If Mitigated
Limited to email validation only; no direct access to accounts or data without additional vulnerabilities.
🎯 Exploit Status
Simple HTTP request/response analysis with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.5.8
Vendor Advisory: https://glpi-project.org/pt-br/
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download GLPI 9.5.8 or later. 3. Follow GLPI upgrade documentation. 4. Verify the password recovery endpoint returns consistent responses.
🔧 Temporary Workarounds
Rate Limit Password Reset Endpoint
linuxImplement rate limiting on /front/lostpassword.php to prevent systematic enumeration
# Configure web server rate limiting (nginx example)
limit_req_zone $binary_remote_addr zone=passwordreset:10m rate=5r/m;
location ~* /front/lostpassword\.php$ {
limit_req zone=passwordreset burst=10 nodelay;
}
Web Application Firewall Rule
allBlock or monitor excessive requests to password reset endpoint
# ModSecurity rule example
SecRule REQUEST_URI "@rx /front/lostpassword\.php" \
"id:1001,phase:1,deny,status:429,msg:'Password reset enumeration attempt'"
🧯 If You Can't Patch
- Implement CAPTCHA on password reset page to prevent automated enumeration
- Monitor logs for excessive password reset requests from single IPs
🔍 How to Verify
Check if Vulnerable:
Test password reset endpoint with valid and invalid emails; if responses differ (timing, error messages, HTTP codes), system is vulnerable.Check Version:
php glpi/front/central.php | grep 'GLPI' or check GLPI admin dashboardVerify Fix Applied:
After patching, test with valid/invalid emails; responses should be identical in timing and content.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /front/lostpassword.php from single IP
- Failed password reset attempts with different email addresses
Network Indicators:
- HTTP POST to /front/lostpassword.php with varying email parameters
- Abnormal request patterns to password reset endpoint
SIEM Query:
source="web_logs" url="/front/lostpassword.php" | stats count by src_ip | where count > 10