A hapless IT bod found the Have I Been Pwned service (HIBP) answering its own question in a way he really didn’t want – after a breach report including a SQL string KO’d his company’s helpdesk ticket system.
A pseudonymous blogger posting under the name Matt published a tortured account of what happened when a breach notification email from HIBP was ingested into his firm’s helpdesk ticket system and was automatically assigned a ticket ID.
The company used version 9.4.5 of the GLPi open source helpdesk system, a rather old product but quite functional. As Matt put it: “All was well until we received an email from haveibeenpwned to our helpdesk support address, which automatically got logged as a support ticket.”
When one of your email addresses is included in a breach picked up by HIBP, you can generate a report that tells you where your details were found. Included in the email with the link to the report is the HIBP header logo graphic, partly formed from ASCII text which reads as so:
‘;–have I been pwned?
Problems arose when Matt received that email. While he looked at it and took the relevant actions, GLPi had encountered an issue. “I and the other techs quickly noticed that every single ticket description had been deleted and replaced with partial header data from the HIBP email,” wrote Matt.
This caused some headaches, requiring a restore from the previous day’s backups. Not ideal and quite disruptive.
That evening Matt started fault-finding, eventually narrowing down the ticket-wiping problem to one of either assigning the HIBP email to yourself in GLPi or adding yourself as a “watcher” of it. In both cases, Matt suspected, some kind of SQL injection was happening.
“I managed to shrink the exploit down to six characters (‘;– ” – the space and double-quote at the end appear to be required though this could do with more testing) to achieve the same kind of malicious behaviour, in this case deleting all content of the descriptions for every ticket in the database,” he wrote.
Eventually he figured it out. GLPi 9.4.5 is vulnerable to a SQL injection flaw which just happened to be triggered by the formatting of HIBP’s breach report email. As Matt put it, “GLPI supports HTML emails, which get rendered (almost) normally within the interface. Simply hiding the text in an attribute or the <head> or something will keep it invisible to the tech. You’ve just gotta wait for them to assign it to themselves.”
Buoyed by his success, Matt zoomed off to GLPi’s Github page to find contact details for its maintainers to warn them of the flaw. There he made an equally important discovery: GLPi had since been updated to version 9.4.6. Not only that, but the latest version fixed the SQLi vuln.
“If you’re running GLPI, make sure you’re on the latest release. Or look for alternative software,” he concluded, apparently rather crestfallen from all those excellent but ultimately needless efforts.