External risk intelligence

GLPI Allows PHP Code Injection

CVE advisoryKnown Exploit

CVE-2022-35914

A vulnerability in a GLPI module allows for PHP code injection. This could enable unauthorized access to systems and data, posing a business risk. Organizations should review their GLPI instances for potential impact.

3Halo Surface Signal

Code Injection

Glpi Project Glpi

10.0.2 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2022-35914

The vulnerability exists in a test file (htmLawedTest.php) within a library used by GLPI, an IT service management platform. While GLPI instances are often web-accessible, the specific vulnerable file is a testing utility not intended for production use. Exposure depends on whether administrators have removed or restricted access to such development/testing files in their deployment.

Horizon Alert

Summary of the vulnerability and why it matters

The htmlawed module within GLPI is susceptible to an injection flaw. This vulnerability permits an attacker to inject and execute arbitrary code. The potential impact includes unauthorized system access, data manipulation, and disruption of services.

Vulnerable GLPI htmlawed module.
Allows PHP code injection.
Leads to unauthorized access and data compromise.

Attack Path

How an attacker could exploit the issue

This vulnerability allows for PHP code injection through a test file within a third-party library used by GLPI. Organizations using affected versions of GLPI may be at risk if the vulnerable test file is accessible. An attacker could exploit this to execute arbitrary code on the affected system, potentially leading to unauthorized access or data compromise.

Vulnerable test file is exposed.
Attacker sends specially crafted input.
PHP code executes, granting control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk due to its potential for remote code execution, allowing attackers to compromise systems without prior access. The ease of exploitation and the critical impact on confidentiality, integrity, and availability of data and systems elevate the urgency for affected organizations. Immediate attention and remediation are advised to mitigate the threat.

Likely attacker skill: Low.
Required access: None.
Business risk: High; urgent action required.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization should address a critical vulnerability affecting its GLPI instances. This vulnerability allows for PHP code injection, posing a significant risk to systems and data. The primary impact involves potential unauthorized access and control over affected GLPI instances.

Find GLPI assets and versions.
Isolate or reduce exposure.
Apply vendor fixes and validate.
Monitor for related issues.

Frequently asked questions

What is GLPI and what is the htmlawed module used for?

GLPI is an IT service management platform used by organizations to manage IT assets, incidents, and service requests. The htmlawed module, which is affected by this vulnerability, is a third-party library that helps to sanitize and filter HTML content within GLPI.

How does the CVE-2022-35914 vulnerability allow PHP code injection?

CVE-2022-35914 is a PHP code injection vulnerability (CWE-74) because a test file within the htmlawed module does not properly sanitize user input. This allows an attacker to submit specially crafted input that is interpreted as PHP code, leading to its execution on the server.

What are the conditions needed for an attacker to exploit this vulnerability?

An attacker can exploit this vulnerability if the affected test file, hmLawedTest.php, is accessible. The vulnerability is not triggered if this specific test file is removed or access to it is restricted. No special privileges or user interaction are required from the attacker.

Who should be concerned about this vulnerability based on its exposure?

Organizations running GLPI versions up to 10.0.2 should be concerned if the test file containing the vulnerability is accessible over the internet. While GLPI instances are often internet-facing, the risk is elevated if these development or testing files have not been secured or removed from production environments.

What is the first step to respond to this CVE threat advisory?

The first step is to identify all GLPI assets within your environment and determine their exact versions. Subsequently, you should investigate whether the vulnerable test file is accessible and take immediate action to isolate affected systems or apply vendor-provided updates.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.