Multiple vulnerabilities identified in "i-doit" CMDB web application

January 5, 2013;

i-doit is a web application for documenting complex IT infrastructures. The i-doit web application does not properly encode output of user data in various places, as identified by Stephan Rickauer of Compass Security. Exploiting this vulnerability leads to so-called cross-site scripting (XSS) and allows execution of JavaScript code in the context of the user's session, e.g. to impersonate logged-in i-doit CMDB users.

i-doit versions prior to 1.0 Pro and 0.9.9-7 Open are affected. Version 1.0.2 Pro has received a new configure option to 'sanitize user input' which defaults to off and has to be manually enabled. However, bear in mind all installations not having this flag set remain vulnerable.





Compass Security Deutschland at CeBIT 2015
3/4/15 - Besuchen Sie uns!

1. Cyber Security Challenge Germany - a successful event
2/6/15 - Young IT talents met in Berlin

Vulnerabilities in Softing FG-100 PB
11/5/14 - Ingmar Rosenhagen identified vulnerabilities in Softing FG-100 PB.

Compass organisiert die Cyber Security Challenge Germany 2014/2015
11/5/14 - Hacker gesucht - IT-Sicherheitstalente im Wettbewerb

Vulnerabilities in neutroML and SAP BusinessObjects Explorer
10/10/14 - Alexandre Herzog identified vulnerabilities in neutroML and SAP BusinessObjects Explorer.