For smaller shops, given there are object and rack management in ITDB, one wouldn't need Racktables or other tools if they had a place to put IPv4 and IPv6 ranges and addresses. One other thing that's been missing in Racktables itself, is the ability to designate multiple-IP assignments for DHCP / other allocations.

With SQLMap, I found that this software has problem (maybe more)

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: action=edititem&id=5) OR NOT 1460=1460-- CDNM
    Vector: OR NOT [INFERENCE]
---

It is my firs day working with itdb and I love it:)
I can advise you one usefull feature. My todays task is to add few racks with a looooot of staff inside. It would be very usefull if there was an option to copy item and rack. We have a lot of same equipment with only different serial number and it's anoying to typing it ower and ower again. Same with same kind of racks:P

Uploading itdb 1.23 - Cross-Site Scripting (XSS).docx…

In edit item:
When I go in "Inter-Item Association"
And I click on "ID" to order by item by "ID"
And I click on check one or some items
And I click on "Save"

No Insert is done in "Inter-Item Associations" table
No variable Itlnk is send by the browser
The sorttable javascript code broke the form inputs for Items Association.

I use Chrome (47.0.2526.80)

The filter work #1. May-be temporary disabling the sort function can be better?

Tanks
And Nice work for ITDB!

Hi,
When I try to read a QR code asset label, I have added the below text to be prepended.
http://itdb.XXXXX.com/?action=edititem&id=

So on reading the code in a QR code reader connected to a pc or a qr reader app, it opens a browser and displays the item details in:

1. Edit item mode page if I have logged in as ITDB Administrator.
2. Item details page with all details in editable mode - if I have logged in as security. Please note that I can edit the details in the fields but on clicking submit, it throws a error, "access denied."

Can we have, instead of "Access denied" after displaying the page with editable fields, the whole page is rendered as read only with the Assets details please?

Regards,
Krishna

Something that may be useful for people would be to have a checkin/checkout page for mobile devices and equipment. The page itself wouldn't necessarily need to be fancy, just a search box to input either a service tag or inventory number (i.e. with a barcode scanner), and then bringing the item up, asking whether to check it in our out (depending on prior conditions, possibly), and letting the user of said device be changed at this point.

SQLite is very slow on ext4, so please add follow line for speed up:

$dbh->exec("pragma synchronous = off;");

Hi,
A SMTP configuration setting with fields to send email from itdb to an administrator would be nice.
Would be perfect for this software.

Regards,
Krishna Kumar

Hi,
I have problem with Full Backup on 1.23 Version. After clicking "Full backup", a new tab opens and a message appears

Firefox cannot find the file http://1....../gettar.php.

When i go to directory /var/www/itdb-1.23 i see "gettar.php".
When i inspect on the page "Full Backup" the name is correct in "a href".
After chmod 777 and chown www-data still I have this problem.

Hi Spiro,
at first, let me congratulate you for the excellent tool you have created. I recently tried quite a few tools and this is the only one i have found that provides the capability of creating connections among items (for example, i can create a new network card and associate it to a server!) as well as among software and contracts. It seems that this tool was created gradually and adding up every time a new capability that resulted to a full-set of features.
Now, my request would be to have the table of Items to be configurable as to which columns (fields) to present. For example, I might want to see the hw characteristics of a set of Items (e.g. CPU, RAM, etc), so, if I have the option to select those fields it would be really great. An alternative to that would be to be able to export all the fields of the Items to a csv/excel file (currently you can export only the fields that are shown in the columns of the Items view).
Thanks,
Dimitris

When we go to check days left in our warranties, they are wrong by several days.

It seems that you are hardcoding months as exactly thirty days on line 132 and line 174 of this file:

datatables_listitems_ajax.php

Hey Sivann,

I found the security issue / vulnerability on ITDB application. I have sent Proof of Concept to your email "[email protected]".

is it possible if I post the vulnerability in here?

Warning: count(): Parameter must be an array or an object that implements Countable.
i wonder if i must doing upgrade or not? this error show when i want to edit items.
Please help, thankyou

Hi, i'm facing an issue in ITDB version 1.8

when i search my items, it wont show up like below :

same as when i want to add an item :

any suggestions ?

regards,
vincent

in your inventory management tool, it is possible to do SQL injection(s).

How to reproduce:

• A user with (type=Full Access) is logged in
• Malroy (the attacker) sends the user an specially crafted URI:
  • localhost/itdb/index.php?action=edititem&delid=1 OR 1=1
• The user clicks the malicious URI

➡️ This will delete all items stored in the database!

What is the problem:

• The first problem is, that you invoke actions using a GET requests. This does not send a XSRF-token, thereby an attacker can trick you to execute the delete action by clicking the malicious url.

• The second problem: You do not restrict the delid to be e.g. only a number. This allows an attacker to inject an arbitrary SQL query.

• The third problem: The attackers' SQL query is executed, because you do not use prepared statements.

How to patch this vulnerability:

Replace lines 24-25 (https://github.com/sivann/itdb/blob/master/php/edititem.php#L24) with this:

$sql=$mysqli->prepare("DELETE from item2file where itemid=?"); // ? := placeholder for variable content
$sql->bind_param('i', $delid); // i := corresponding variable has type integer
$sql->execute(); // execute prepared statement
$sql->close(); // close statement and connection

And use mysqli for the db connections instead, e.g.:
$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');
Here you can find more information/examples : http://php.net/manual/en/mysqli-stmt.bind-param.php

How to fix the problem in general:

• Use prepared statements and parameterized queries for all your SQL! These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL. See: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

• Dont modify/delete/... with GET

Vulnerability found by:

• @stweigand
• @MoD01

Ajax query on items search page when sessions is disconnected throw php errors:
"PHP Fatal error: Call to a member function fetch() on integer in /var/www/webroot/secure.interplex.ca/interplex-itdb/php/datatables_listitems_ajax.php on line 113"

Sessions status in datatables_listitems_ajax.php must be verified and then the browser must reload page when disconnected.

ITDB Version 1.23
PDO::ATTR_CLIENT_VERSION: 3.13.0
PDO::ATTR_SERVER_VERSION: 3.13.0
Current PHP version: 5.6.23
PDO_SQLITE version:3.13.0

Hi Sivann,

I'm new to apache2+php. I created a itdb site in my environment. everything is fine but only in the data browser function, each link doesn't include my site domain name.

for example:
http://index.php/?action=edititem&id=6

I see in the itdb demo site is no problem so would you please tell me why? below is my site's configuration information.

Thank you!

hello

i am very interested in this software, i am curious though - if there is an api (perhaps xmlrpc) what will allow us to push data in to this database with our own scripts and automation.

thanks

If at all possible, would it be hard to remove the flash elements from the menus? Flash support is dying a low and painful death.

Click Make item labels, print
TCPDF ERROR: [Image] Unable to get the size of the image: images/itdb.png

I trace the code, find that the current work directory is itdb/php, which does not has images folder, I copy the itdb/images to itdb/php/images, Make item labels is ok.

Since upgrading to V1.23 the multi-field search (image attached) for "Items" no longer works. This is the function accessed by clicking the small clear elliptical looking icon at the top left of the Items list.

All the field tags are now just "Name" where they used to be "Serial Number", "Model" etc. Entering any data into the fields produces the following error when viewing the source in IE

SCRIPT5007: Unable to set property 'sSearch' of undefined or null reference. jquery.dataTables.min.js (123,196)

System details are as follows:
RHEL 6
Apache 2.2.15
PHP 5.3.3
SQLite 3.6.20

Thanks!

Hi,
I try to modify an id 25 changing the location from A to B and obtain the error:

Error: Item not saved, correct these errors:
Duplicate SN with id 5

With version 1.22 or 1.23, i have opened the sqllite db with a browser and there are no equal sn into items table.

Follow my personal debug...

it's possible problem with or before this query ?

$sql="SELECT id from items where id <> $myid AND ((length(sn)>0 AND sn in ('{$_POST['sn']}', '{$_POST['sn2']}')) OR (length(sn2)>0 AND sn2 in ('{$_POST['sn']}', '{$_POST['sn2']}'))) LIMIT 1";

I try using with myid = 25 (the right value) and obtain 0 field with any other value obtain as result 25

SELECT id from items where id <> 25 AND ((length(sn)>0 AND sn in ('XXX', '')) OR (length(sn2)>0 AND sn2 in ('XXX, ''))) LIMIT 1
result: null

SELECT id from items where id <> Y AND ((length(sn)>0 AND sn in ('XXX', '')) OR (length(sn2)>0 AND sn2 in ('XXX, ''))) LIMIT 1
result: 25

How can i verify myid it's correct?

Thanks in advance
Nicola

The "Items with warranty end date close to (before or after) today" report appears to be using hardcoded 30 day months as well.

Hi,

I wish to ask that how to reset the itdb password since I have failed to login. The web interface does not seem to have any reset button and the db is not like mysql as I am not familiar with it.

Appreciate the help.

Thanks.

There is a small bug in editsoftware.php that is messing up the formatting of the editsoftware->item association 'type' column that makes the column basically unreadable. Removing $attr from line 479 fixes the problem.

Before:

After:

V itdb1.23 items Can not add and modify Racks 。
https://github.com/sivann/itdb/archive/1.23.zip

THX

DY DICKY EMAIL:[email protected]

on an almost vanilla RHEL6, the following were also needed:

• add package php-pdo
• fix permissions chmod a+x ./php

also, update copyright to -2014 or -2015 on homepage!

Warning: require(php/editusers.php): failed to open stream: No such file or directory in C:\xampp\htdocs\TKB-itdb\index.php on line 415

Fatal error: require(): Failed opening required 'php/editusers.php' (include_path='.;\xampp\php\PEAR') in C:\xampp\htdocs\TKB-itdb\index.php on line 415

I noticed an issue when importing data into the database using the import function.
When I attempt to import a file, the location information is populated pre import check, but once the data is imported and I list the items, the location field is blank. Additionally, if there is information in the area field in the csv file, that is entered into the database.

Fails to upgrade from db v3 to v6 with "cannot start a transaction within a transaction" error

solved by adding "commit;" at the top of updates/db/3_4.sql

Hi,
it's possibile to have some mandatory field for add new items / software?
and if it's just implemented you can i modify the list of this?

Thanks in advance, you can close becouse it's not a bug but a request of info...

Nicola

PS I found the part of code in edititems.php with validation part! Sorry!

Hello,
it would be a great idea adding power consumption for each server/device, having an handy counter per rack.

I'd love it :)

When I use Print Labels, the characters in Chinese will be displayed as 口口 in the pdf. The Chinese characters displayed correctly in other pages.

Please add RUR ito currency.

import.php line 412 under //add items in $stmt=db_execute2 array, fix name for locid:

        //'locationid'=>$locationid,
        'locationid'=>$locid,

First i wanna Thx all for all hardworks and effort spend for developing this application.

i got an issue whit Full Backup it work by generate the tar.gz file but when i wanna extract the file it show me that's an unknow format or damaged and cannot use it
Any 1 have the same probleme or can help me

Note:
i used 3 differents application to extract the .tar.gz file 7zip, Winrar, Winzip.

I tried to connect ITDB to the active directory, but I've failed to login using an active directory user.
Is it working or not? and if someone succeeded to connect to AD, could he advise me please?

Can you please add/fix these features?

Software licenses:
Prevent over-licensing.

Items:
Prevent duplicates. Check for existence of Serial Number,Label Number,MAC Address.

According to error in php/edituser.php file, we cant't change user access right.
In line: 72 is:
if ($username='admin' && $usertype) {

but should be:
if ($username=='admin' && $usertype) {

Hi,
First appreciate the great work.
Would like to have the options to export the reports into to a pdf file.

Regards,
Krishna Kumar

Hello sivann,

1.- I found some short tags in /php/setting.php.
row 164:

2.- Another modification request:

Please add hungarian currency to the list in /php/setting.php:

  <option <?php echo $s?> title='Forint' value='Ft'>Ft</option>

Best regards!

Hi this is not a big problem, in User, Agent, Location i have more then 10 items so the Edit column (or id colum) are sorted in not correct way attacched a sample... 1, 10, 11.., 2, 3, 4,/.., 9

This is not a problem you can close if you want

Regards
Nicola

Sivann,

I have provided many updates and non of them have made it into your code. How is it best done to do so? I am thinking maybe creating a fork, but that kind of takes away from the purpose.

Thoughts?

I have downloaded latest version of this software and i have try to install it on my local server for checking but i,m getting this error again and again.I have uploaded it on live server too but i,m getting same error when i tried to change itdb directory folder permissions 755 to 777 i,m getting internal server error.pLease tell me what should i do?
THanks
/home/lolololo/public_html/itdb-1.14 is not writeable by apache
make /home/lolololo/public_html/itdb-1.14/data/files/ writeable by the user running the web server
in unix:
chown /home/lolololo/public_html/itdb-1.14/data/files/; chmod u+w /home/lolololo/public_html/itdb-1.14/data/files/

It would be better if itdb would support PostgreSQL and MySQL as SQLite is not suitable for integration

this error "Cannot upload files to unsaved items." won't go away when i access the Items / File Upload tab. What do i need to do to get rid of it? I'm running IT DB version 1.23 on Linux Redhat 7.3

Thanks in advance
Sam

Hello
i will work with ITDB. It´s a great Projekt! Thanks for you.

Is it possible to pramm a Email Reminder function that remember if the warranty or service contract expires?

Thanks
Regards Dreamscape84