====================================================================== DEVWERKS SECURITY ADVISORY www.devwerks.net ====================================================================== devWerks Advisory ID: DW-2016-004 Application: iTop <= 2.2.1 Vendor: Combodo Subject: Cross-site Scripting - XSS Author: Johannes Schroeter (j.schroeter@devwerks.net) Date: 2016-10-07 ====================================================================== Overview: IT Operations Portal: a complete open source, ITIL, web based service management tool including a fully customizable CMDB, a helpdesk system and a document management tool. iTop also offers mass import tools and web services to integrate with your IT. devWerks discovered a security flaw in the iTop web application, which allows execution of malicious code. ====================================================================== Details: This particular vulnerability existed within the applications Attachment Upload function and was due to improper input sanitization of the filename for a file being uploaded. For example, javascript could be added to the filename and because of a lack of input sanitization/validation, the javascript contained within the files name would execute within the context of the iTop web application. An attacker with attachment upload rights could insert malicious code. ====================================================================== Timeline: 2016-04-03: Vendor notified 2016-04-05: Vendor response 2016-04-05: Vulnerability details sent to vendor 2016-04-05: Vulnerability confirmed and fixed by the vendor (trunk) 2016-07-05: Release of patched vendor software version 2.3.0 2016-10-07: Public release of this advisory ====================================================================== Recommendation: It is recommended to upgrade to the latest version of iTop. Grab your copy at: https://sourceforge.net/projects/itop/ ====================================================================== References: http://www.combodo.com/itop-193 http://www.combodo.com http://devwerks.net https://sourceforge.net/projects/itop/files/itop/2.3.0/