Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload

2019.02.20
Credit: Dao Duy Hung
Risk: High
Local: No
Remote: Yes
CVE: CVE-2019-8394
CWE: CWE-264


Ogólna skala CVSS: 4/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

# Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload # Date: 18-02-2019 # Exploit Author: Dao Duy Hung (duyhungattt@gmail.com) # Vendor Homepage: https://www.manageengine.com/products/service-desk/ # Software Link: https://www.manageengine.com/products/service-desk/download.html?opDownload_indexbnr # Version: 9.4 and 10.0 before 10.0 build 10012 # Tested on: SDP 10.0 build 10000 # CVE : CVE-2019-8394 Detail: In file common/FileAttachment.jsp line 332 only check file upload extension when parameter 'module' equal to 'SSP' or 'DashBoard' or 'HomePage', and if parameter 'module' is set to 'CustomLogin' will skip check file upload extension function and upload arbitrary file to folder '/custom/login' and this file can access directly from url 'host:port/custom/login/filename' . An authenticated user with minimum permission (ex: guest) can upload webshell to server. POST /common/FileAttachment.jsp?module=CustomLogin&view=Dashboard1 HTTP/1.1 Host: localhost:8080 Content-Length: 50


See this note in RAW Version
Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top