Headline
CVE-2022-24780: N°4384 Security hardening · Combodo/iTop@b6fac4b
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
@@ -108,10 +108,10 @@ public function __construct(RequestManipulatorHelper $oRequestManipulator, Conte
/** * @param \Symfony\Component\HttpFoundation\Request $oRequest * @param string $sMode * @param string $sObjectClass * @param string $sObjectId * @param string $aFormProperties * @param string $sMode * @param string $sObjectClass * @param string $sObjectId * @param array $aFormProperties * * @return array * @@ -127,9 +127,10 @@ public function HandleForm(Request $oRequest, $sMode, $sObjectClass, $sObjectId $bModal = ($oRequest->isXmlHttpRequest() && empty($sOperation));
// - Retrieve form properties $aOriginalFormProperties = ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf[‘forms’], $sObjectClass, $sMode); if ($aFormProperties === null) { $aFormProperties = ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf[‘forms’], $sObjectClass, $sMode); $aFormProperties = $aOriginalFormProperties; }
// - Create and @@ -281,27 +282,24 @@ public function HandleForm(Request $oRequest, $sMode, $sObjectClass, $sObjectId
$oFormManager->Build(); $aFormData[‘hidden_fields’] = $oFormManager->GetHiddenFieldsId(); // Check the number of editable fields // Check the number of editable fields $aFormData[‘editable_fields_count’] = $oFormManager->GetForm()->GetEditableFieldCount(); } else { } else { // Update / Submit / Cancel /** @var \Combodo\iTop\Portal\Form\ObjectFormManager $sFormManagerClass */ $sFormManagerClass = $this->oRequestManipulator->ReadParam('formmanager_class’, '’, FILTER_UNSAFE_RAW); $sFormManagerData = $this->oRequestManipulator->ReadParam(‘formmanager_data’, ‘’, FILTER_UNSAFE_RAW); if (empty($sFormManagerClass) || empty($sFormManagerData)) { if (empty($sFormManagerClass) || empty($sFormManagerData)) { IssueLog::Error(__METHOD__.’ at line ‘.__LINE__.’ : Parameters formmanager_class and formamanager_data must be defined.’); throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, ‘Parameters formmanager_class and formmanager_data must be defined.’); }
/** @var \Combodo\iTop\Portal\Form\ObjectFormManager $oFormManager */ $oFormManager = $sFormManagerClass::FromJSON($sFormManagerData); $bTrustContent = $sFormManagerClass::CanTrustFormLayoutContent($sFormManagerData, $aOriginalFormProperties); $oFormManager = $sFormManagerClass::FromJSON($sFormManagerData, $bTrustContent); $oFormManager->SetContainer($this->oContainer);
// Applying action rules if present if (($oFormManager->GetActionRulesToken() !== null) && ($oFormManager->GetActionRulesToken() !== ‘’)) { if (($oFormManager->GetActionRulesToken() !== null) && ($oFormManager->GetActionRulesToken() !== ‘’)) { $aActionRules = ContextManipulatorHelper::DecodeRulesToken($oFormManager->GetActionRulesToken()); $oObj = $oFormManager->GetObject(); $this->oContextManipulator->PrepareObject($aActionRules, $oObj);
Related news
iTop versions prior to 2.7.5 authenticated remote command execution exploit.