[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ManageEngine EventLog Analyzer Multiple Cross-site Scripting (XSS) Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ManageEngine EventLog Analyzer Multiple Cross-site Scripting (XSS) Vulnerabilities
From: robkraus@xxxxxxxxxxxxxxx
Date: Fri, 10 Dec 2010 07:04:15 -0700

Title: ManageEngine EventLog Analyzer Multiple Cross-site Scripting (XSS) 
Vulnerabilities
Risk (CVSS2 Base Score): Low (3.9)
Solutionary ID: SERT-VDN-1001
CVE ID: Pending
Solutionary disclosure URL: 
http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-XSS-vulnerabilities.html
Product: ManageEngine EventLog Analyzer version 6.1
Application vendor: ManageEngine
Vendor URL: http://www.manageengine.com/products/eventlog/

Date discovered: 9/15/2010
Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research 
Team (SERT)
Vendor notification date: 10/26/2010
Vendor response date: 11/12/2010
Vendor acknowledgment date: 12/2/2010
Vendor provided fix: No fix provided
Release coordinated with the vendor: N/A
Public disclosure date: 12/10/2010

Type of vulnerability: Cross-site Scripting (XSS)
Exploit vectors: Local and Remote

Vulnerability description:  The web application management interface of 
ManageEngine contains multiple injection points, which allow for execution of 
Cross-site Scripting (XSS) attacks. Arbitrary client side code such as 
JavaScript can be included into certain parameters throughout the web 
application. The following parameters and web pages have been tested and 
verified; however, it is likely more views and parameters within the 
application are vulnerable:

INDEX.do (HOST_ID, OS, GROUP, exportFile, load, type, tab) parameters
INDEX2.do (reported) parameter
hostlist.do (gId) parameter
globalSettings.do (newWindow) parameter
enableHost.do (STATUS) parameter

Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default 
installation.
Affected software versions: ManageEngine EventLog Analyzer version 6.1 
(previous versions may also be vulnerable)

Impact: Successful attacks could disclose sensitive information about the user, 
session, and syslog clients to the attacker, resulting in a loss of 
confidentiality. Using XSS, an attacker could insert malicious code into a web 
page and entice naïve users to execute the malicious code.

Fixed in: No fix currently available.

Remediation guidelines: The vendor has not provided any remediation guidelines 
to address this issue. Solutionary recommends upgrading the application if 
patches are provided to address the issue identified. 

Keywords: security, vulnerability, ManageEngine, syslog, xss, event, log, 
cross-site scripting

Solutionary, Inc. Vulnerability Disclosure Policy
http://www.solutionary.com/index/SERT/Vulnerability-Disclosure-Policy.html

Prev by Date: PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow
Next by Date: ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability
Previous by thread: PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow
Next by thread: ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability
Index(es):
- Date
- Thread