############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # CVE ID : CVE-2014-1237 # CSNC ID: CSNC-2014-002 # Product: i-doit # Vendor: synetics Gesellschaft fr Systemintegration mbH # Subject: Cross-site Scripting - XSS # Risk: High # Effect: Remotely exploitable # Author: Stephan Rickauer (stephan.rickauer@csnc.ch) # Date: February 5th 2014 # ############################################################# Introduction: ------------- Compass Security AG [3] discovered a security flaws in the i-doit CMDB web application [2], which allows execution of malicious code. Vulnerable: ----------- i-doit Pro 1.2.4 and likely all prior versions including i-doit Open. Description: ------------ The i-doit web application does not properly encode output of user data in at least one place. Exploiting this vulnerability leads to reflected cross-site scripting (XSS) and allows execution of JavaScript code in the context of the user's session, e.g. to impersonate logged-in i-doit CMDB users. The vulnerable resource is the 'call' parameter: /?ajax=1&objID=1753&call=');}</script><script>alert('XSS')</script> Remediation: ------------ Upgrade to i-doit Pro 1.2.4. The 'Open' flavour will not receive patches in its current branch any longer, as explained by the vendor. Milestones: ----------- 2014-01-08 Vulnerability discovered, Vendor notified, CVE ID requested 2014-01-09 Acknowledgement of vulnerability by vendor and agreement of advisory release schedule. CVE ID assigned my MITRE. 2014-01-31 Release of patched vendor software. 2014-02-05 Public release of advisory. Acknowledgements: ----------------- This XSS has been identified with the help of Sentinel, a plugin for the Burp Proxy, written by Dobin Rutishauser at Compass Security AG [4]. References: ----------- [1] http://www.i-doit.org [2] http://www.i-doit.com [3] http://www.csnc.ch [4] https://github.com/dobin/BurpSentinel