Command injection vulnerability in Combodo iTop 2.4.1 and probably prior, allows remote authenticated attackers to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().
For more details search for CVE-2018-10642 or visit this link https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt
Hello Ayoub,
The vulnerability exists because:
1. The iTop configuration file is a PHP file
2. iTop offers a way - for administrators - to edit the configuration file online
As you mention on GitHub this means that this vulnerability exists only for users with an iTop administrator account.
If you feel that the risk is still too high, you can completely disable the online edition of the iTop configuration by adding the configuration parameter:
'itop-config' => array ( 'config_editor' => 'disabled', ),inside the 'Module Specific' section of the iTop configuration file.
Hope this helps,
Hello Denis,
Thanks for your quick reply, your solution fixes this vulnerability.
Best regards.