CVE-2023-47123
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in iTop allows attackers to inject malicious scripts into object friendlyname/complementary name fields. When these objects are displayed as n:n relation items in other objects, the scripts execute in victims' browsers. All iTop users running vulnerable versions are affected.
💻 Affected Systems
- Combodo iTop
📦 What is this software?
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.
Likely Case
Session hijacking, credential theft, defacement of application pages, or unauthorized actions within the iTop platform.
If Mitigated
Limited impact with proper input validation and output encoding; potential for minor data exposure but no system compromise.
🎯 Exploit Status
Exploitation requires ability to create/modify objects with malicious friendlyname/complementary name values, typically requiring some level of access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.1 or 3.2.0
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp
Restart Required: Yes
Instructions:
1. Backup your iTop installation and database. 2. Download iTop version 3.1.1 or 3.2.0 from official sources. 3. Follow iTop upgrade documentation for your version. 4. Restart web server services. 5. Verify fix by testing object creation with special characters.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize friendlyname/complementary name fields.
Modify iTop source code to add HTML entity encoding for these fields before display
Content Security Policy
allImplement CSP headers to restrict script execution from untrusted sources.
Add 'Content-Security-Policy' header to web server configuration with script-src directives
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in object names.
- Restrict user permissions to prevent untrusted users from creating/modifying objects with friendlyname fields.
🔍 How to Verify
Check if Vulnerable:
Check iTop version via admin interface or by examining version.php file. Versions before 3.1.1/3.2.0 are vulnerable.Check Version:
Check /approot/version.php or admin dashboard for version number.Verify Fix Applied:
After patching, attempt to create object with <script>alert('test')</script> in friendlyname field and verify it's properly encoded when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual object creation/modification patterns
- Requests containing script tags in friendlyname parameters
- Error logs showing malformed input rejection
Network Indicators:
- HTTP requests with JavaScript payloads in POST parameters
- Unusual outbound connections from iTop server after object views
SIEM Query:
source="iTop_logs" AND ("friendlyname" OR "complementary name") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72
- https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp
- https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72
- https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp
