cbcvebase.
CVE-2020-11060
published 2020-05-12

CVE-2020-11060: In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.95%
95.3th percentile
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

Affected

1 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi< 9.4.69.4.6

Detection & IOCsextracted from sources · hover to see the quote

path/front/backup.php
url/front/backup.php?dump=dump&offsettable=312&fichier=
path/pics/
pathC:\xampp\htdocs\pics\
path/var/www/html/glpi/pics/
command?0=echo%20asdfasdfasdf
  • Detect HTTP GET requests to /front/backup.php with parameters 'dump=dump' and 'fichier=' pointing to a web-accessible path (e.g. /pics/), indicating exploitation of the backup-to-webshell technique.
  • Monitor POST requests to /front/wifinetwork.form.php with unusually large or binary 'comment' field content, which is used to inject the malicious GZIP payload into the database.
  • Alert on newly created .php files appearing under the GLPI /pics/ directory, as the exploit writes a PHP webshell there via the backup dump functionality.
  • The exploit uses the CSRF token pattern 'name="_glpi_csrf_token" value="([a-f0-9]{32})"' — monitor for automated rapid sequential requests to login and wifinetwork pages harvesting CSRF tokens.
  • The exploit fetches the GZIP payload from a remote GitHub raw URL (AlmondOffSec/PoCs); outbound connections from the GLPI server or attacker host to this URL during an attack session are a strong indicator of exploitation.
  • ·The 'offsettable' parameter value (312 in the PoC) must match the line number of the 'wifinetworks' CREATE TABLE statement in the SQL dump; this value varies per GLPI installation and database state, so attackers must enumerate it first.
  • ·The web-writable output path for the dropped shell differs by platform: C:\xampp\htdocs\pics\ on Windows and /var/www/html/glpi/pics/ on Linux — non-default installations will require path adjustment.
  • ·Exploitation requires an authenticated account with both Maintenance privileges and the right to add WiFi networks, or alternatively a CSRF attack against such an account.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.