CVE-2022-35914 Overview
CVE-2022-35914 is a PHP code injection vulnerability in the htmlawed module for GLPI (Gestion Libre de Parc Informatique) through version 10.0.2. The vulnerability exists in /vendor/htmlawed/htmlawed/htmLawedTest.php, which allows unauthenticated attackers to inject and execute arbitrary PHP code on vulnerable systems. This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Critical Impact
This vulnerability allows unauthenticated remote attackers to execute arbitrary PHP code on affected GLPI installations, potentially leading to complete system compromise, data theft, and lateral movement within enterprise networks.
Affected Products
- GLPI (Gestion Libre de Parc Informatique) versions through 10.0.2
- glpi-project glpi with bundled htmlawed module
- Systems running vulnerable htmLawedTest.php test file
Discovery Timeline
- 2022-09-19 - CVE-2022-35914 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2022-35914
Vulnerability Analysis
The vulnerability resides in the htmLawedTest.php file, which is a testing utility bundled with the htmLawed HTML sanitization library included in GLPI installations. This test file was never intended for production deployment but is inadvertently exposed in GLPI distributions through version 10.0.2.
The core issue stems from improper input validation in the test interface, which allows user-supplied input to be processed by PHP functions in an unsafe manner. When the test file is accessible via a web request, attackers can craft malicious requests that inject arbitrary PHP code, which is then executed in the context of the web server.
This vulnerability is particularly dangerous because it requires no authentication, can be exploited remotely over the network, and provides full code execution capabilities. The htmLawed library is widely used for HTML filtering, but the inclusion of test files in production environments creates an unintended attack surface.
Root Cause
The root cause is a code injection vulnerability (CWE-74) in the htmLawedTest.php file. The test script accepts user input and passes it to internal PHP functions without proper sanitization or validation. This allows attackers to inject PHP code through specially crafted HTTP requests that bypass expected input handling and achieve arbitrary code execution.
The fundamental design flaw is the inclusion of a development/testing file in production GLPI packages, combined with insufficient input validation in that test file. The htmLawed library itself is designed for HTML sanitization, but its test harness was not designed with security considerations for public-facing deployments.
Attack Vector
The attack is conducted remotely over the network without requiring authentication. Attackers target the exposed htmLawedTest.php endpoint with specially crafted POST requests containing malicious PHP code. The vulnerability allows execution with the privileges of the web server process, enabling attackers to:
- Execute arbitrary system commands
- Read and modify files on the server
- Establish persistent backdoor access
- Pivot to other systems on the network
- Exfiltrate sensitive data from the GLPI database
Exploitation details and proof-of-concept code are publicly available through the Orange Cyberdefense CVE Repository and documented on Packet Storm Security. Additional technical analysis is available in the Mayfly Blog writeup.
Detection Methods for CVE-2022-35914
Indicators of Compromise
- HTTP POST requests targeting /vendor/htmlawed/htmlawed/htmLawedTest.php or similar paths
- Web server logs showing access to htmLawedTest.php with unusual POST parameters
- Unexpected PHP processes spawned by the web server user
- Creation of new files in web-accessible directories, particularly PHP shells or backdoors
- Outbound network connections from the web server to unknown destinations
Detection Strategies
- Monitor web server access logs for requests to htmLawedTest.php files, which should not be accessed in production
- Deploy Web Application Firewall (WAF) rules to block requests containing PHP code injection patterns
- Implement file integrity monitoring on GLPI installation directories to detect unauthorized modifications
- Use network intrusion detection systems to identify exploitation attempts and post-compromise activity
Monitoring Recommendations
- Configure alerting for any HTTP requests to paths containing htmLawedTest.php
- Establish baseline behavior for the GLPI application and alert on anomalous process execution
- Monitor for command execution patterns typical of web shell activity (e.g., whoami, id, uname, wget, curl)
- Review authentication logs for suspicious access patterns following potential exploitation
How to Mitigate CVE-2022-35914
Immediate Actions Required
- Upgrade GLPI to version 10.0.3 or later immediately, as announced in the GLPI 10.0.3 Release
- If immediate upgrade is not possible, remove or restrict access to the htmLawedTest.php file
- Conduct forensic analysis of web server logs to determine if exploitation has occurred
- Isolate affected systems from the network if compromise is suspected
- Reset credentials for any accounts that may have been exposed through the GLPI system
Patch Information
GLPI-Project has addressed this vulnerability in GLPI version 10.0.3. The patch removes the vulnerable test file from the distribution and addresses the underlying code injection issue. Organizations should upgrade to GLPI 10.0.3 or later from the official GLPI releases page.
Given that this vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, federal agencies and organizations following CISA guidance are required to remediate this vulnerability according to specified timelines. See the CISA KEV Catalog entry for details.
Workarounds
- Delete or rename the htmLawedTest.php file: rm /path/to/glpi/vendor/htmlawed/htmlawed/htmLawedTest.php
- Block access to the vulnerable file at the web server level using .htaccess or nginx configuration
- Implement network-level access controls to restrict access to GLPI administrative interfaces
- Deploy a web application firewall with rules specifically targeting PHP code injection attempts
# Remove the vulnerable test file
rm /var/www/glpi/vendor/htmlawed/htmlawed/htmLawedTest.php
# Or block access via Apache .htaccess
echo '<Files "htmLawedTest.php">' >> /var/www/glpi/vendor/htmlawed/htmlawed/.htaccess
echo ' Require all denied' >> /var/www/glpi/vendor/htmlawed/htmlawed/.htaccess
echo '</Files>' >> /var/www/glpi/vendor/htmlawed/htmlawed/.htaccess
# Or block via nginx configuration
# Add to your GLPI server block:
# location ~ htmLawedTest\.php$ { deny all; }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
