iTop 2.2.1 Cross Site Request Forgery
Posted by deepcore on March 20, 2016 – 6:47 am
High-Tech Bridge Security Research Lab discovered a remote code execution vulnerability in iTop that is exploitable via cross site request forgery flaw that is also present in the application. The vulnerability exists due to absence of validation of HTTP request origin in “/env-production/itop-config/config.php” script, as well as lack of user-input sanitization received via “new_config” HTTP POST parameter.
Post a reply
You must be logged in to post a comment.