Menu

#1585 Command injection vulnerability

Unassigned
closed
nobody
None
User Interface
Critical
2.4.1
defect
2018-05-14
2018-05-12
Ayoub ARBAH
No

Command injection vulnerability in Combodo iTop 2.4.1 and probably prior, allows remote authenticated attackers to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().

For more details search for CVE-2018-10642 or visit this link https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt

Discussion

  • Denis

    Denis - 2018-05-13

    Hello Ayoub,

    The vulnerability exists because:
    1. The iTop configuration file is a PHP file
    2. iTop offers a way - for administrators - to edit the configuration file online

    As you mention on GitHub this means that this vulnerability exists only for users with an iTop administrator account.
    If you feel that the risk is still too high, you can completely disable the online edition of the iTop configuration by adding the configuration parameter:

       'itop-config' => array (
                'config_editor' => 'disabled',
          ),
    

    inside the 'Module Specific' section of the iTop configuration file.

    Hope this helps,

     
    • Ayoub ARBAH

      Ayoub ARBAH - 2018-05-13

      Hello Denis,

      Thanks for your quick reply, your solution fixes this vulnerability.

      Best regards.

       
  • Vincent @ Combodo

    • status: new --> closed
     

Log in to post a comment.