[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cross-site Scripting in EventLog Analyzer 9.0 build #9000

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cross-site Scripting in EventLog Analyzer 9.0 build #9000
From: audit1@xxxxxxxxxxxx
Date: Tue, 22 Jul 2014 11:18:34 GMT

We discovered a vulnerability in the EventLog Analyzer web application.

Vulnerability Type: Cross-site Scripting

Original Release: June 20, 2014

Discovered by: 
        Security Team - A2SECURE
        Artëm Tsvetkov  atsvetkov@xxxxxxxxxxxx 
        Sisco Barrera   sbarrera@xxxxxxxxxxxx 
        Andrea Bodei    abodei@xxxxxxxxxxxx     

Products and affected versions:
        MANAGEENGINE EVENTLOG ANALYZER 9.0 build #9000

Company: A2SECURE - España
A2Secure Website: http://www.a2secure.com
Vendor Website: http://www.manageengine.com 
Application Website: http://www.manageengine.com/products/eventlog/ 



===========================
Background
===========================

EventLog Analyzer is a Security Information and Event Management (SIEM) 
software. Using this Log Analyzer software, organizations can automate the 
entire process of managing terabytes of machine generated logs by collecting, 
analyzing, correlating, searching, reporting, and archiving from one central 
location. This event log analyzer software helps to mitigate file integrity, 
conduct log forensics analysis, monitor privileged users and comply to 
different compliance regulatory bodies by intelligently analyzing your logs and 
instantly generating a variety of reports like user activity reports, 
historical trend reports, and more.



===========================
Vulnerability Details
===========================

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious 
scripts are injected into otherwise benign and trusted web sites. XSS attacks 
occur when an attacker uses a web application to send malicious code, generally 
in the form of a browser side script, to a different end user. Flaws that allow 
these attacks to succeed are quite widespread and occur anywhere a web 
application uses input from a user within the output it generates without 
validating or encoding it. 

EventLog Analyzer should correctly filter input data using a whitelist of 
allowed characters, encoding, or a similar technique. 
 

===========================
Proof of Concept
===========================

The login username parameter is vulnerable to Cross-site Scripting

Domain:         https://localhost:8500
Method:         POST
Path:           /event/j_security_check
Parameter:      j_username
Payload:        "><script>alert(1);</script>



===========================
Credits / Author
===========================

Artëm Tsvetkov
www.a2secure.com 



===========================
Disclaimer
===========================

All information is provided without warranty. The intent is to provide 
information to secure infrastructure and/or systems, not to be able to attack 
or damage. Therefore A2Secure shall not be liable for any direct or indirect 
damages that might be caused by using this information.

Prev by Date: [oCERT-2014-004] Ansible input sanitization errors
Next by Date: Web Login Bruteforce in Symantec Endpoint Protection Manager 12.1.4023.4080
Previous by thread: [oCERT-2014-004] Ansible input sanitization errors
Next by thread: Web Login Bruteforce in Symantec Endpoint Protection Manager 12.1.4023.4080
Index(es):
- Date
- Thread