
Description
- GLPI (Gestionnaire Libre de Parc Informatique) : is a widely used open-source solution for IT service management, including asset inventory, helpdesk, and IT infrastructure management.
- Threat : A vulnerability in GLPI allows an unauthenticated user to activate Debug Mode. Once enabled, this mode reveals SQL queries, errors, PHP objects, system configuration, and input/output data, providing detailed insight into the application’s behavior and potential issues—even to regular users.
- Expectation : Debug Mode activation should be strictly restricted to administrators.
Vulnerability records
- CVE ID: CVE-2025-25192
- Access Vector: network
- Security Risk: medium
- Vulnerability: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-285 (Improper Authorization)
- CVSS Base Score: 6.5
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
A vulnerability in GLPI allows an unauthenticated user to activate Debug Mode by sending a POST request with the continuer parameter to /glpi/install/update.php. This bypasses the intended checks due to a logic flaw in the script. Once enabled, Debug Mode exposes sensitive information such as internal SQL queries, making it easier to analyze the application and identify potential vulnerabilities.
Proof of Concept: Debug Mode Activation
An update script is accessible at the following URL:
http://<serveur>/glpi/install/update.php
When trying to access http://10.0.2.15/glpi/install/update.php, we initially encounter an error preventing the execution of the update
By reviewing the source code of GLPI at /glpi/install/update.php, we identified a logic flaw that allows bypassing this protection by sending a POST request containing a continuer or from_update parameter with an arbitrary value.
We noticed in the source code that starting the update would activate DEBUG mode
We were therefore able to start the update and activate DEBUG mode through this request:
Once the update is completed, if we return to our basic user interface with a simple user, we can see that DEBUG mode is indeed activated.
DEBUG mode provides access to a wealth of information, including the SQL queries executed for each action.
Affected versions
Versions <= 10.0.17
Solution
Update to version >= 10.0.18
Timeline
- 2025-01-28: Initial discovery
- 2025-02-07: First e-mail contact
- 2025-02-10: Sent all details to vendor contact
- 2025-02-25: Disclosure
Credits : Mathis Evrard, aka StayF0cus, SysDream (m.evrard -at- sysdream -dot- com)