Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2020-5248 PoC — Public GLPIKEY can be used to decrypt any data in GLPI

Source
https://github.com/Mkway/CVE-2020-5248
Associated Vulnerability
Title:Public GLPIKEY can be used to decrypt any data in GLPI (CVE-2020-5248)
Description:GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.
Description
CVE-2020-5248
Readme
# CVE-2020-5248 POC 환경 구성 및 테스트 입니다. 

# 테스트 방법

- 환경 구성 

```
vim docker/nginx/default.conf
server_name [docker host ip ];  -change
mysqlserver: mysql  id: root pw: root 
```
- 실행 

```
cd docker/app/
tar -xvf /docker/app/glpi-9.4.5.tgz
chmod -R 777 glpi
docker-compose up -d 
```

glpi 접속 http://localhost:8080/glpi

- POC 테스트  
poc : https://github.com/indevi0us/CVE-2020-5248    
테스트 : https://offsec.almond.consulting/multiple-vulnerabilities-in-glpi.html     
암호문 획득 - http://localhost:8080/glpi 
```
docker/poc/decrypt_any.php
vim decrpyt_any.php - change - decrypt ("decrytion")
http://localhost:8080/poc/decrypt_any.php 
```

---- 
# 주의 
설치 실패시 한번 glpi를 삭제후 다시 tar 작업을 진행하십시오
File Snapshot

 [4.0K]  /data/pocs/c4ebf64d12c2631b7dfa78b85718fe23274c2b32
├── [4.0K]  docker
│   ├── [4.0K]  app
│   │   ├── [ 395]  docker-compose.yml
│   │   ├── [ 33M]  glpi-9.4.5.tgz
│   │   ├── [  17]  index.php
│   │   └── [4.0K]  poc
│   │       └── [ 392]  decrypt_any.php
│   ├── [4.0K]  nginx
│   │   ├── [ 483]  default.conf
│   │   └── [  76]  Dockerfile
│   └── [4.0K]  php
│       ├── [ 338]  Dockerfile
│       └── [4.0K]  docker-php-extension-installer
└── [ 803]  README.md

6 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →