JustAppSec
Back to news

i-doit CMDB arbitrary file download exposes configuration secrets

1 min readPublished 21 Mar 2026Updated 21 Mar 2026Source: GitHub Advisory Database (Unreviewed)
CVE-2019-25582NewsWeb SecurityAccess Control

TL;DR — i-doit CMDB’s file_manager=image path can be abused to download arbitrary server files, exposing configuration secrets and credentials to authenticated attackers.

What happened

i-doit CMDB is a web-based configuration management database (CMDB) used to document infrastructure assets and their relationships. A newly published advisory for CVE-2019-25582 describes a High-severity arbitrary file download issue in i-doit CMDB 1.12 where an authenticated attacker can manipulate a file parameter in index.php to retrieve sensitive files.

The advisory states attackers can send GET requests to index.php with file_manager=image and supply arbitrary file paths (example given: src/config.inc.php) to obtain configuration files and other sensitive system data.

This matters because CMDB apps routinely store high-value secrets (database credentials, API tokens, environment-specific configuration). File read bugs in these “internal admin tools” often become a pivot point for broader compromise, and a public Exploit-DB reference is listed in the advisory.

Who is impacted

  • Deployments running i-doit CMDB 1.12.
  • Environments where low-privilege authenticated users can reach the affected index.php route.
  • Instances where sensitive configuration files are readable by the web application runtime user (a common default).

What to do now

  • Follow vendor remediation guidance (this advisory does not list a fixed version or patched release at the time of writing).
  • Reduce exposure while you validate remediation options:
    • limit network access to i-doit (VPN / allowlists / admin-only access),
    • ensure least-privilege roles cannot access file-manager functionality if it can be disabled.
  • Treat potential disclosure as a security incident for the app tier:
    • review access logs for unexpected GET requests to index.php using file_manager=image,
    • rotate credentials that could plausibly be stored in or derived from src/config.inc.php (database credentials, service tokens, SMTP creds, etc.).

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.