Multiple vulnerabilities identified in "i-doit" CMDB web application

January 5, 2013;

i-doit is a web application for documenting complex IT infrastructures. The i-doit web application does not properly encode output of user data in various places, as identified by Stephan Rickauer of Compass Security. Exploiting this vulnerability leads to so-called cross-site scripting (XSS) and allows execution of JavaScript code in the context of the user's session, e.g. to impersonate logged-in i-doit CMDB users.

i-doit versions prior to 1.0 Pro and 0.9.9-7 Open are affected. Version 1.0.2 Pro has received a new configure option to 'sanitize user input' which defaults to off and has to be manually enabled. However, bear in mind all installations not having this flag set remain vulnerable.





November 6/7, 2015: 34. Jahrestagung Technik und Service, VAF, Unterhaching (bei München)
9/3/15 - Details folgen

October 6 - 8, 2015: it-sa, Nuremberg
9/2/15 - Trends and innovations in the IT Security Sector

October 5 - 7, 2015: CRITIS 2015, Berlin
9/1/15 - 10th International Conference on Critical Information Infrastructures Security

September 22, 2015: Beer-Talk on Tour - APT Detection with Splunk
8/31/15 - Compass event series stops over in Cologne.

September 14 - 16, 2015: Cyber Security Challenge Germany - finale in Berlin
8/30/15 - Das deutsche Finale als Qualifikation für den EuroCTF in der Schweiz