iTop Cross Site Scripting

2013.01.24
Credit: Stephan Rickauer
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2013-0805
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # CVE ID : CVE-2013-0805 # CSNC ID: CSNC-2013-001 # Product: iTop # Vendor: Combodo # Subject: Cross-site Scripting - XSS # Risk: High # Effect: Remotely exploitable # Author: Stephan Rickauer (stephan.rickauer _at_ csnc.ch) # Date: January 23rd 2013 # ############################################################# Introduction: ------------- Compass Security discovered a security flaw in the iTop web application. Vulnerable: ----------- All iTop versions older than: * trunk revision 2589 * branches/1.2.1, revision 2587 * branches/1.2, revision 2588 * branches/2.0, revision 2590 Not vulnerable: --------------- unknown Patches: -------- Patches have been commited to the SourceForge Trac by the vendor with respect to all affected versions. Modified files: pages/UI.php and pages/run_query.php Fix: ---- Thoroughly encode all user input properly on output. Description: ------------ The iTop search feature displays the term entered by the user. However, that very output of the user's input happens mostly un-encoded. The implemented mitigation step of only encoding < as part of a script tag is inadequate and can be easily bypassed. Exploiting this vulnerability will lead to so-called cross-site scripting (XSS) and allows the impersonation of logged-in iTop users. Milestones: ----------- January 4th, Vulnerability discovered January 4th, Vendor contact established January 7th, Vendor provided with technical details January 7th, Vendor acknowledged issue (support _at_ combodo.com) January 15th, CVE assigned and vendor notified January 23rd, Patch committed in all main branches of the iTop project by vendor January 23rd, Public release of advisory References: ----------- XSS reference: http://en.wikipedia.org/wiki/Cross-site_scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued. iTop reference: http://www.combodo.com/iTop-a-new-generation-of-IT.html Provided evidence: - Two screenshots - XSS attack code - copy of html page showing unencoded output

References:

http://en.wikipedia.org/wiki/Cross-site_scripting


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top