Reporter Tobias Glemser
`TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181
iTop version 1.1.181, 1.2.0-RC-282 (maybe earlier versions as well)
CVE-2011-4275 - Multiple web-vulnerabilities in iTop
(used for updates)
"IT Operations Portal: a complete open source, ITIL, web based
service management tool including a fully customizable CMDB,
a helpdesk system and a document management tool."
Several common flaws could be found in iTop like reflected
and stored XSS.
- almost every tested input field stored in database and in the
html-content of the site.
sanitisation in place
seems to be overridden.
- almost every test input field where the value is reflected in
- add a company named "XSS <script>alert("Help Me")</script>"
- add a database server named "XSS <script>alert("Help
- import a CSV-File where one cell contains "XSS <script>alert("Help
- copy&paste data (which does the same as CSV-import) using
3;Test 3<script>alert("23746234243 Test")</script>"
reflected XSS (un-authenticated):
reflected XSS (authenticated):
- use version 1.2 final
2011/08/09 vendor contacted via firstname.lastname@example.org
2011/08/09 inital vendor response
2011/09/06 first patch by the vendor
2011/09/12 second patch by the vendor
2011/11/16 public disclosure
Tobias Glemser (email@example.com)
Tele-Consulting security networking training GmbH, Germany
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore Tele-Consulting shall
not be liable for any direct or indirect damages that might be
caused by using this information.