Multiple vulnerabilities identified in "i-doit" CMDB web application

January 5, 2013;

i-doit is a web application for documenting complex IT infrastructures. The i-doit web application does not properly encode output of user data in various places, as identified by Stephan Rickauer of Compass Security. Exploiting this vulnerability leads to so-called cross-site scripting (XSS) and allows execution of JavaScript code in the context of the user's session, e.g. to impersonate logged-in i-doit CMDB users.

i-doit versions prior to 1.0 Pro and 0.9.9-7 Open are affected. Version 1.0.2 Pro has received a new configure option to 'sanitize user input' which defaults to off and has to be manually enabled. However, bear in mind all installations not having this flag set remain vulnerable.

CVE-2013-1413

Links:
http://www.i-doit.org
http://www.i-doit.com 

 

News

Vulnerabilities in Softing FG-100 PB
11/5/14 - Ingmar Rosenhagen identified vulnerabilities in Softing FG-100 PB.

Compass organisiert die Cyber Security Germany Challenge 2014/2015
11/5/14 - Hacker gesucht - IT-Sicherheitstalente im Wettbewerb

Vulnerabilities in neutroML and SAP BusinessObjects Explorer
10/10/14 - Alexandre Herzog identified vulnerabilities in neutroML and SAP BusinessObjects Explorer.

Compass attend the iSSE in Brussel
10/10/14 - Founded in 1999 as an initiative of the European Commission Directorate General Information Society, ISSE is Europe’s only independent, interdisciplinary security conference and exhibition.

Compass am CFO-Forum
9/22/14 - 11. Handelszeitung Jahrestagung