CVE-2020-37078
📋 TL;DR
CVE-2020-37078 is an arbitrary file deletion vulnerability in i-doit Open Source CMDB's import module. Authenticated attackers can delete any file on the server by manipulating the delete_import parameter in POST requests. This affects all organizations running vulnerable versions of i-doit CMDB.
💻 Affected Systems
- i-doit Open Source CMDB
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files (e.g., /etc/passwd, web server configurations, application files), leading to service disruption, data loss, or privilege escalation.
Likely Case
Application disruption through deletion of configuration files, log files, or uploaded content, causing service outages and potential data loss.
If Mitigated
Limited impact if proper file permissions and web application firewalls are in place, restricting deletion to non-critical files.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 48427). Attack requires authenticated access but is trivial to execute with valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.14.2 and later
Vendor Advisory: https://www.i-doit.org/
Restart Required: No
Instructions:
1. Backup your i-doit installation and database. 2. Download the latest version from the official i-doit website. 3. Follow the i-doit update documentation to upgrade to version 1.14.2 or later. 4. Verify the import module no longer accepts arbitrary file paths.
🔧 Temporary Workarounds
Disable Import Module
linuxTemporarily disable the vulnerable import module to prevent exploitation
# Rename or remove the import module directory
mv /var/www/html/i-doit/src/classes/modules/import /var/www/html/i-doit/src/classes/modules/import.disabled
Restrict File Permissions
linuxSet strict file permissions to limit what files the web server user can delete
# Make critical directories read-only
chmod -R 555 /etc/
chmod -R 555 /var/www/html/i-doit/
# Set appropriate ownership
chown -R root:www-data /var/www/html/i-doit/
chmod -R 750 /var/www/html/i-doit/
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the i-doit server from critical systems
- Deploy a web application firewall (WAF) with rules to block requests containing path traversal patterns in the delete_import parameter
🔍 How to Verify
Check if Vulnerable:
Check if your i-doit version is 1.14.1 or earlier by logging into the admin interface and viewing the version information, or check the CHANGELOG.md file in the installation directory.Check Version:
grep -i 'version' /var/www/html/i-doit/CHANGELOG.md | head -5Verify Fix Applied:
After updating, verify the version is 1.14.2 or later. Test the import module functionality to ensure it still works for legitimate imports but rejects path traversal attempts.📡 Detection & Monitoring
Log Indicators:
- POST requests to /import/ endpoint with delete_import parameter containing path traversal sequences (../)
- Web server error logs showing 'file not found' errors for unexpected files
- Application logs showing failed import operations with suspicious file paths
Network Indicators:
- HTTP POST requests to import endpoints with unusual file paths in parameters
- Sudden increase in 404 errors for system files
SIEM Query:
source="web_logs" AND (uri_path="/import/" AND method="POST" AND (param="delete_import" AND value="*../*"))