ManageEngine OpUtils ConfigSaveServlet saveFile Information Disclosure Vulnerability

2014-11-21T00:00:00
ID ZDI-14-386
Type zdi
Reporter Andrea Micalizzi (rgod)
Modified 2014-06-22T00:00:00

Description

This vulnerability allows remote attackers to disclose files on vulnerable installations of ManageEngine OpUtils. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the ConfigSaveServlet servlet. The issue lies in the failure to properly sanitize a filename. A remote attacker can exploit this vulnerability to disclose files from the system.