CVE-2023-42802 Overview
CVE-2023-42802 is a critical vulnerability in GLPI, a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation vulnerability allows attackers to upload malicious PHP files to unintended directories. Depending on web server configuration and available system libraries, these malicious PHP files can then be executed through web server requests, leading to remote code execution.
Critical Impact
This vulnerability enables unauthenticated attackers to upload and execute arbitrary PHP code on vulnerable GLPI installations, potentially leading to complete system compromise, data theft, and lateral movement within the network.
Affected Products
- GLPI versions 10.0.7 through 10.0.9
- glpi-project glpi
- Self-hosted GLPI installations running vulnerable versions
Discovery Timeline
- 2023-11-02 - CVE-2023-42802 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-42802
Vulnerability Analysis
This vulnerability stems from improper validation during object instantiation within GLPI's codebase. The application fails to properly verify the type and destination of objects being instantiated, which creates an attack surface for arbitrary file upload. When an attacker exploits this flaw, they can upload PHP files containing malicious code to directories such as /ajax and /front, which are typically accessible via the web server. Once the malicious PHP file is uploaded, the attacker can trigger its execution by simply requesting the file through an HTTP request, achieving remote code execution on the target server.
The vulnerability is classified under CWE-20 (Improper Input Validation) and CWE-434 (Unrestricted Upload of File with Dangerous Type), highlighting both the root cause and the resulting dangerous condition.
Root Cause
The root cause of CVE-2023-42802 lies in the unverified object instantiation mechanism within GLPI. The application does not adequately validate objects during instantiation, allowing attackers to manipulate the process to upload files with arbitrary content and extensions to directories that should be restricted. This lack of input validation on the object instantiation path permits the injection of malicious PHP files that bypass intended security controls.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no authentication or user interaction. An attacker can remotely exploit this vulnerability by sending specially crafted requests to a vulnerable GLPI instance. The attack sequence typically involves:
- Identifying a vulnerable GLPI installation (versions 10.0.7 to 10.0.9)
- Crafting a malicious request that exploits the unverified object instantiation flaw
- Uploading a PHP webshell or other malicious PHP code to the /ajax or /front directories
- Executing the uploaded file via a direct HTTP request to achieve code execution
The exploitation requires no privileges and can be performed without any user interaction, making this vulnerability particularly dangerous for internet-facing GLPI installations.
Detection Methods for CVE-2023-42802
Indicators of Compromise
- Unexpected PHP files appearing in /ajax or /front directories with recent creation timestamps
- Web server access logs showing requests to unusual or newly created PHP files in restricted directories
- PHP files with obfuscated or encoded content in web-accessible directories
- Outbound network connections from the web server process to unknown external hosts
Detection Strategies
- Monitor file system changes in GLPI's /ajax and /front directories for unauthorized file creation
- Implement web application firewall (WAF) rules to detect malicious upload attempts targeting GLPI endpoints
- Review web server access logs for suspicious POST requests followed by GET requests to the same unusual endpoints
- Deploy integrity monitoring tools to detect unauthorized modifications to the GLPI file structure
Monitoring Recommendations
- Enable and centralize logging for all GLPI web server access and application events
- Configure alerts for new file creation events in the /ajax and /front directories
- Monitor for process spawning from PHP worker processes that could indicate webshell execution
- Implement network traffic analysis to detect potential command and control communications
How to Mitigate CVE-2023-42802
Immediate Actions Required
- Upgrade GLPI to version 10.0.10 or later immediately
- Audit /ajax and /front directories for any unauthorized or suspicious PHP files
- Review web server logs for evidence of exploitation attempts
- If patching is not immediately possible, implement the workaround by removing write access on /ajax and /front directories
Patch Information
The GLPI project has addressed this vulnerability in version 10.0.10. Organizations should upgrade to this version or later to remediate the vulnerability. The fix can be obtained from the GitHub GLPI Release 10.0.10. For additional details, refer to the GitHub Security Advisory GHSA-rrh2-x4ch-pq3m.
Workarounds
- Remove write access on /ajax and /front directories for the web server user
- Implement strict file upload restrictions at the web server level
- Consider placing GLPI behind a reverse proxy with additional security controls
- Restrict network access to GLPI installations to trusted IP ranges where possible
# Configuration example - Remove write access for web server user
# Navigate to GLPI installation directory
cd /var/www/glpi
# Remove write permissions for web server on vulnerable directories
chmod -R o-w ajax/
chmod -R o-w front/
# Alternatively, change ownership to root while keeping read access for web server
chown -R root:root ajax/
chown -R root:root front/
chmod -R 755 ajax/
chmod -R 755 front/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
