i-doit Pro 1.2.4 Cross Site Scripting

2014-02-05T00:00:00
ID PACKETSTORM:125062
Type packetstorm
Reporter Stephan Rickauer
Modified 2014-02-05T00:00:00

Description

                                        
                                            `#############################################################  
#  
# COMPASS SECURITY ADVISORY http://www.csnc.ch/  
#  
#############################################################  
#  
# CVE ID : CVE-2014-1237  
# CSNC ID: CSNC-2014-002  
# Product: i-doit  
# Vendor: synetics Gesellschaft für Systemintegration mbH  
# Subject: Cross-site Scripting - XSS  
# Risk: High  
# Effect: Remotely exploitable  
# Author: Stephan Rickauer (stephan.rickauer@csnc.ch)  
# Date: February 5th 2014  
#  
#############################################################  
  
  
Introduction:  
-------------  
Compass Security AG [3] discovered a security flaws in the i-doit CMDB  
web application [2], which allows execution of malicious code.  
  
  
Vulnerable:  
-----------  
i-doit Pro 1.2.4 and likely all prior versions including i-doit Open.  
  
  
Description:  
------------  
The i-doit web application does not properly encode output of user data  
in at least one place. Exploiting this vulnerability leads to reflected  
cross-site scripting (XSS) and allows execution of JavaScript code in  
the context of the user's session, e.g. to impersonate logged-in i-doit  
CMDB users.  
  
The vulnerable resource is the 'call' parameter:  
/?ajax=1&objID=1753&call=');}</script><script>alert('XSS')</script>  
  
  
Remediation:  
------------  
Upgrade to i-doit Pro 1.2.4. The 'Open' flavour will not receive patches  
in its current branch any longer, as explained by the vendor.  
  
  
Milestones:  
-----------  
2014-01-08 Vulnerability discovered, Vendor notified, CVE ID requested  
2014-01-09 Acknowledgement of vulnerability by vendor and agreement of  
advisory release schedule. CVE ID assigned my MITRE.  
2014-01-31 Release of patched vendor software.  
2014-02-05 Public release of advisory.  
  
  
Acknowledgements:  
-----------------  
This XSS has been identified with the help of Sentinel, a plugin for the  
Burp Proxy, written by Dobin Rutishauser at Compass Security AG [4].  
  
  
References:  
-----------  
[1] http://www.i-doit.org  
[2] http://www.i-doit.com  
[3] http://www.csnc.ch  
[4] https://github.com/dobin/BurpSentinel  
  
  
`