Headline
CVE-2022-24780: N°4384 Security hardening · Combodo/iTop@b6fac4b
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
@@ -108,10 +108,10 @@ public function __construct(RequestManipulatorHelper $oRequestManipulator, Conte
/** * @param \Symfony\Component\HttpFoundation\Request $oRequest * @param string $sMode * @param string $sObjectClass * @param string $sObjectId * @param string $aFormProperties * @param string $sMode * @param string $sObjectClass * @param string $sObjectId * @param array $aFormProperties * * @return array * @@ -127,9 +127,10 @@ public function HandleForm(Request $oRequest, $sMode, $sObjectClass, $sObjectId $bModal = ($oRequest->isXmlHttpRequest() && empty($sOperation));
// - Retrieve form properties $aOriginalFormProperties = ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf[‘forms’], $sObjectClass, $sMode); if ($aFormProperties === null) { $aFormProperties = ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf[‘forms’], $sObjectClass, $sMode); $aFormProperties = $aOriginalFormProperties; }
// - Create and @@ -281,27 +282,24 @@ public function HandleForm(Request $oRequest, $sMode, $sObjectClass, $sObjectId
$oFormManager->Build(); $aFormData[‘hidden_fields’] = $oFormManager->GetHiddenFieldsId(); // Check the number of editable fields // Check the number of editable fields $aFormData[‘editable_fields_count’] = $oFormManager->GetForm()->GetEditableFieldCount(); } else { } else { // Update / Submit / Cancel /** @var \Combodo\iTop\Portal\Form\ObjectFormManager $sFormManagerClass */ $sFormManagerClass = $this->oRequestManipulator->ReadParam('formmanager_class’, '’, FILTER_UNSAFE_RAW); $sFormManagerData = $this->oRequestManipulator->ReadParam(‘formmanager_data’, ‘’, FILTER_UNSAFE_RAW); if (empty($sFormManagerClass) || empty($sFormManagerData)) { if (empty($sFormManagerClass) || empty($sFormManagerData)) { IssueLog::Error(__METHOD__.’ at line ‘.__LINE__.’ : Parameters formmanager_class and formamanager_data must be defined.’); throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, ‘Parameters formmanager_class and formmanager_data must be defined.’); }
/** @var \Combodo\iTop\Portal\Form\ObjectFormManager $oFormManager */ $oFormManager = $sFormManagerClass::FromJSON($sFormManagerData); $bTrustContent = $sFormManagerClass::CanTrustFormLayoutContent($sFormManagerData, $aOriginalFormProperties); $oFormManager = $sFormManagerClass::FromJSON($sFormManagerData, $bTrustContent); $oFormManager->SetContainer($this->oContainer);
// Applying action rules if present if (($oFormManager->GetActionRulesToken() !== null) && ($oFormManager->GetActionRulesToken() !== ‘’)) { if (($oFormManager->GetActionRulesToken() !== null) && ($oFormManager->GetActionRulesToken() !== ‘’)) { $aActionRules = ContextManipulatorHelper::DecodeRulesToken($oFormManager->GetActionRulesToken()); $oObj = $oFormManager->GetObject(); $this->oContextManipulator->PrepareObject($aActionRules, $oObj);
Related news
**I am running a supported version of Windows Server. Is my system vulnerable to this issue?** This vulnerability is only exploitable for systems that have the NFS role enabled. See NFS Overview for more information on this feature. More information on installing or uninstalling Roles or Role Services is available here.
**Why is Attack Complexity marked as High for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.