CVE-2024-56801
📋 TL;DR
This CVE describes a blind SQL injection vulnerability in the Tasklists plugin for GLPI. Attackers can exploit this to execute arbitrary SQL commands on the database, potentially compromising sensitive data or gaining unauthorized access. All GLPI installations using Tasklists plugin versions before 2.0.4 are affected.
💻 Affected Systems
- GLPI Tasklists Plugin
📦 What is this software?
Tasklists by Infotel
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the underlying server.
Likely Case
Unauthorized access to sensitive task data, user information, and potential lateral movement within the GLPI environment.
If Mitigated
Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.
🎯 Exploit Status
Blind SQL injection typically requires more effort than regular SQLi but is still exploitable with automated tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.4
Vendor Advisory: https://github.com/InfotelGLPI/tasklists/security/advisories/GHSA-c6fw-xw9x-gwjw
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Update the Tasklists plugin to version 2.0.4 via GLPI's plugin management interface or manually replace plugin files. 3. Verify the update was successful by checking the plugin version.
🔧 Temporary Workarounds
Disable Tasklists Plugin
allTemporarily disable the vulnerable plugin until patching can be completed.
Navigate to GLPI Setup > Plugins > Tasklists > Disable
Web Application Firewall Rules
allImplement WAF rules to block SQL injection patterns targeting the Tasklists plugin endpoints.
Add WAF rules to detect and block SQL injection patterns in POST/GET parameters
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries at the application level
- Restrict database user permissions to minimum required for the Tasklists plugin functionality
🔍 How to Verify
Check if Vulnerable:
Check the Tasklists plugin version in GLPI: Setup > Plugins > Tasklists. If version is below 2.0.4, the system is vulnerable.Check Version:
Check GLPI web interface: Setup > Plugins > TasklistsVerify Fix Applied:
Confirm the Tasklists plugin version shows 2.0.4 or higher in GLPI's plugin management interface.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts or parameter manipulation in web server logs
- Unexpected database errors from Tasklists plugin endpoints
Network Indicators:
- SQL injection patterns in HTTP requests to /plugins/tasklists/ endpoints
- Unusual database connections from the GLPI application server
SIEM Query:
source="web_server_logs" AND (uri="/plugins/tasklists/*" AND (message="*sql*" OR message="*union*" OR message="*select*" OR message="*insert*" OR message="*update*" OR message="*delete*"))