Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload

2019.02.20
Credit: Dao Duy Hung
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload # Date: 18-02-2019 # Exploit Author: Dao Duy Hung (duyhungattt@gmail.com) # Vendor Homepage: https://www.manageengine.com/products/service-desk/ # Software Link: https://www.manageengine.com/products/service-desk/download.html?opDownload_indexbnr # Version: 9.4 and 10.0 before 10.0 build 10012 # Tested on: SDP 10.0 build 10000 # CVE : CVE-2019-8394 Detail: In file common/FileAttachment.jsp line 332 only check file upload extension when parameter 'module' equal to 'SSP' or 'DashBoard' or 'HomePage', and if parameter 'module' is set to 'CustomLogin' will skip check file upload extension function and upload arbitrary file to folder '/custom/login' and this file can access directly from url 'host:port/custom/login/filename' . An authenticated user with minimum permission (ex: guest) can upload webshell to server. POST /common/FileAttachment.jsp?module=CustomLogin&view=Dashboard1 HTTP/1.1 Host: localhost:8080 Content-Length: 50


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top