| Title | glpi-project glpi 11.0.5 - 11.0.7 Authorization Bypass |
|---|
| Description | # Summary
An authenticated user who is allowed to answer any active GLPI form can download arbitrary GLPI documents by supplying the accessible form ID in the `itemtype` / `items_id` parameters of `front/document.send.php`.
If a form allows unauthenticated direct access, the same issue may be reachable by an anonymous user after establishing the form access session.
---
# Affected Versions
Confirmed by code review in:
- GLPI `11.0.7`
- GLPI `11.0/bugfixes` at commit `915d9d04e9`
The vulnerable form-specific branch was introduced in commit:
- `e29aebef6e5a75b93c1828d56679e016938c3c15`
This commit is contained in tag:
- `11.0.5`
The behavior was extended in commit:
- `b994a2e5218f4f8e6f2730522bcb4e1f27905d47`
This commit is contained in tags:
- `11.0.6`
- `11.0.7`
I did not find this form-specific code path in GLPI `10.0.25`.
---
# Root Cause
`front/document.send.php` loads a document by attacker-controlled `docid` and passes the full query string to `Document::canViewFile()`:
```php
} elseif ($doc->canViewFile($_GET)) {
return $doc->getAsResponse();
}
Document::canViewFile() accepts attacker-controlled itemtype and items_id.
Before reaching the generic item relation check, it calls canViewFileFromForm() for form-related item types:
if (
$itemtype !== null
&& is_numeric($items_id)
&& $this->canViewFileFromForm($itemtype, (int) $items_id)
) {
return true;
}
canViewFileFromForm() resolves the submitted form, section, question, or comment to a form and only checks whether the current session may answer that form:
return $control_manager->canAnswerForm($form, $parameters);
It does not verify that the requested Document is actually linked to the supplied form-related item.
As a result, an attacker can use an accessible form as an authorization oracle for any document ID.
Security Impact
This is an IDOR / authorization bypass on GLPI documents.
An attacker can read documents attached to unrelated tickets, assets, reminders, knowledge base items, or other objects, provided they know or guess the document ID and can answer at least one active form.
Suggested CWEs:
CWE-639: Authorization Bypass Through User-Controlled Key
CWE-284: Improper Access Control
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Preconditions
Authenticated Scenario
A low-privileged user can answer at least one active form, for example through an allow-list access control.
A private document exists that the low-privileged user cannot otherwise read.
The attacker knows or can guess the private document ID.
Unauthenticated Scenario
A form is active and configured for unauthenticated direct access.
The anonymous user establishes form access first, for example by visiting the form render URL with its valid direct-access token.
The attacker knows or can guess the private document ID.
Reproduction Outline
Install GLPI 11.0.7.
As an administrator, create or identify a private document D attached to a restricted item that a low-privileged user cannot read.
Create an active form F whose access control allows the low-privileged user to answer it.
Log in as the low-privileged user.
Request:
/front/document.send.php?docid=<D>&itemtype=Glpi%5CForm%5CForm&items_id=<F>
Expected Result
The request should be denied because document D is not linked to form F.
Actual Result
Document::canViewFile() returns true through canViewFileFromForm(), and front/document.send.php returns the document content.
Suggested Fix
Before returning true from the form-specific path, verify that the requested document is linked to the exact supplied form-related item.
For example, canViewFileFromForm() should perform a glpi_documents_items lookup for:
documents_id = $this->getID()
itemtype = $itemtype
items_id = $items_id
Only after this relationship check succeeds should it evaluate whether the current session can answer the resolved form.
The existing tests added around Document::canViewFile() cover:
The positive case for linked form documents.
The negative case for users not allowed to answer the form.
A regression test should also cover the missing negative case:
A user allowed to answer form F must not be able to view an unrelated document by passing itemtype=Glpi\Form\Form&items_id=F. |
|---|
| User | rafaelczanett (UID 98567) |
|---|
| Submission | 05/27/2026 05:25 (1 month ago) |
|---|
| Moderation | 06/27/2026 17:57 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 374487 [glpi-project glpi 11.0.5/11.0.6/11.0.7 Document front/document.send.php Document::canViewFile docid authorization] |
|---|
| Points | 17 |
|---|