GLPI - Ripe for the Injecting
Posted on
I'll move on from GLPI eventually and start working on some interesting technical stuff, but today is not that day.
We ditched GLPI after we got hit by an accidental SQLi from HaveIBeenPwned - in short, version 9.4.5 is vulnerable to an SQL Injection flaw. You can exploit it by sending it an email (say, to helpdesk@company.tld) and once the email gets automatically turned into a ticket and assigned, the SQL will be executed. This affected us because the obscenely simple execution string was included in the header of the haveibeenpwned email notification.
I've just been poking around GLPI again (we have kept it around for non-end-user stuff, isolated and kept out of reach) and noticed that there was a “telemetry” scheduled task in the list of Automatic Actions which got me curious.
GLPI have decided to publish some of their telemetry data, which is nice of them. But it shows that there's still a significant number of users running 9.4.5 and older.
Of the installs that report telemetry in the last year (and only those installs on 9.2 and above do this), 14,313 are on a version at or below 9.4.5, whilst 26,985 are on 9.4.6 and above. Over 34% of GLPI installs are potentially* vulnerable to this painfully simple exploit but over 12% of installs absolutely are still vulnerable as they're on 9.4.5 exactly.
*Potentially, but I suspect only 9.4.5 is vulnerable - they fixed it by accident in 9.4.6 here which looks like a response to an issue that appeared in 9.4.5.
We learned a lesson with the GLPI issue - keep your software up to date. Though to be fair to us, it was up to date according to their website at the time. There was a newer version available (9.4.6) but that wasn't advertised anywhere.
I hope these out of date installs get updated. We know there's a lot of malicious activity out there, but at the same time... accidents can happen.