Multiple vulnerabilities identified in "i-doit" CMDB web application

January 5, 2013;

i-doit is a web application for documenting complex IT infrastructures. The i-doit web application does not properly encode output of user data in various places, as identified by Stephan Rickauer of Compass Security. Exploiting this vulnerability leads to so-called cross-site scripting (XSS) and allows execution of JavaScript code in the context of the user's session, e.g. to impersonate logged-in i-doit CMDB users.

i-doit versions prior to 1.0 Pro and 0.9.9-7 Open are affected. Version 1.0.2 Pro has received a new configure option to 'sanitize user input' which defaults to off and has to be manually enabled. However, bear in mind all installations not having this flag set remain vulnerable.





Compass at CyberSec Conference in Yverdon-les-Bains
10/20/15 - Cyber Security is a challenge

Compass mit einer Keynote am TEFO15
10/20/15 - Studerus Technology Forum

Vulnerability in Netgear Router Firmware N300
10/6/15 - Daniel Haake identified an Authentication Bypass in Netgear Router Firmware N300.

Vulnerability in AdNovum nevisAuth
9/21/15 - Antoine Neuenschwander identified an Authentication Bypass in AdNovum nevisAuth.

November 6/7, 2015: 34. Jahrestagung Technik und Service, VAF, Unterhaching (bei M√ľnchen)
9/3/15 - Details folgen