CVE-2020-11060 Overview
CVE-2020-11060 is a command injection vulnerability in GLPI (Gestionnaire Libre de Parc Informatique) before version 9.4.6 that allows an attacker to execute arbitrary system commands by abusing the backup functionality. This vulnerability can theoretically be exploited without a valid account through Cross-Site Request Forgery (CSRF), though practical exploitation typically requires an account with Maintenance privileges and the right to add WIFI networks.
Critical Impact
An attacker with sufficient privileges can achieve remote code execution on the underlying server, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.
Affected Products
- GLPI versions prior to 9.4.6
- glpi-project GLPI (all installations without the security patch)
- Organizations using GLPI for IT asset management and helpdesk operations
Discovery Timeline
- 2020-05-12 - CVE-2020-11060 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-11060
Vulnerability Analysis
The vulnerability exists in GLPI's backup functionality where user-controlled input is not properly sanitized before being passed to system commands. This creates a command injection vector that allows attackers to execute arbitrary commands on the underlying operating system with the privileges of the web server process.
The attack combines two distinct weaknesses: CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-352 (Cross-Site Request Forgery). The command injection flaw enables code execution, while the CSRF weakness potentially allows this to be triggered without direct authentication if an administrator can be tricked into visiting a malicious page.
Exploitation requires network access and while the primary attack path assumes Maintenance privileges with WIFI network management rights, the CSRF vector theoretically lowers this barrier for targeted attacks against privileged users.
Root Cause
The root cause stems from insufficient input validation in the XML backup functionality. The backup feature processes user-supplied data that gets incorporated into system-level operations without proper sanitization or escaping of shell metacharacters. This allows specially crafted input containing command separators or shell operators to break out of the intended context and execute arbitrary commands.
Attack Vector
The attack leverages the network-accessible GLPI web interface to submit malicious input through the backup functionality. An authenticated attacker with Maintenance privileges can directly exploit the vulnerability, while unauthenticated attackers may leverage CSRF to trick an authenticated administrator into triggering the malicious request. Successful exploitation results in command execution with the privileges of the web server user.
The following patch shows how GLPI addressed the vulnerability by modifying the configuration handling in front/config.form.php:
include ('../inc/includes.php');
Session::checkRight("config", READ);
+if (isset($_GET['check_version'])) {
+ Session::addMessageAfterRedirect(
+ Toolbox::checkNewVersionAvailable()
+ );
+ Html::back();
+}
+
$config = new Config();
$_POST['id'] = 1;
if (!empty($_POST["update_auth"])) {
Source: GitHub GLPI Commit
Additional changes were made to inc/config.class.php to provide a safer version checking mechanism:
echo "<table class='tab_cadre_fixe'>";
echo "<tr><th>". __('Information about system installation and configuration')."</th></tr>";
+ echo "<tr class='tab_bg_1'><td>";
+ echo "<a class='vsubmit' href='?check_version'>".__('Check if a new version is available')."</a>";
+ echo "</td></tr>";
$oldlang = $_SESSION['glpilanguage'];
// Keep this, for some function call which still use translation (ex showAllReplicateDelay)
Source: GitHub GLPI Commit
Detection Methods for CVE-2020-11060
Indicators of Compromise
- Unusual system command execution originating from the web server process (e.g., www-data, apache, or nginx users)
- Suspicious backup-related requests in GLPI access logs containing shell metacharacters
- Unexpected outbound network connections from the GLPI server
- Modified or newly created files in web-accessible directories with execution permissions
Detection Strategies
- Monitor web server logs for requests to GLPI backup endpoints with suspicious parameters
- Implement application-layer firewall rules to detect command injection patterns in HTTP requests
- Deploy endpoint detection to identify anomalous process spawning from web server parent processes
- Review audit logs for unusual backup operations or configuration changes by Maintenance accounts
Monitoring Recommendations
- Enable verbose logging for GLPI administrative actions, particularly backup and configuration operations
- Configure intrusion detection systems to alert on command injection signatures targeting GLPI endpoints
- Monitor system process trees for child processes spawned by the web server that execute shells or system utilities
- Implement file integrity monitoring on GLPI installation directories
How to Mitigate CVE-2020-11060
Immediate Actions Required
- Upgrade GLPI to version 9.4.6 or later immediately
- Review Maintenance privilege assignments and remove unnecessary access rights
- Audit WIFI network management permissions and restrict to essential personnel only
- Implement web application firewall rules to filter potentially malicious backup requests
Patch Information
GLPI version 9.4.6 contains the security fix for this vulnerability. The patch removes the vulnerable XML backup functionality and implements a safer version checking mechanism. Organizations should apply the patch by upgrading to version 9.4.6 or later. The security fix is documented in the GitHub Security Advisory and the specific code changes can be reviewed in commit ad748d59c94da177a3ed25111c453902396f320c.
Workarounds
- Restrict network access to GLPI administrative interfaces using firewall rules or VPN requirements
- Implement CSRF tokens and validate referrer headers if not already enforced
- Disable or remove the backup functionality if not operationally required until patching is possible
- Limit Maintenance privileges to a minimal number of trusted accounts with strong authentication
# Configuration example - Restrict access to GLPI admin functions via Apache
<Directory /var/www/glpi/front>
<FilesMatch "config\.form\.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
