How to identify and combat unrestricted file upload, path traversal and broken authentication vulnerabilities in ADManager Plus

How to identify and combat unrestricted file upload, path traversal and broken authentication vulnerabilities in ADManager Plus

ADManager Plus builds have been reported to suffer unrestricted file upload, path traversal and broken authentication vulnerabilities, leading to potential unauthenticated remote code execution. For more information on these vulnerabilities and their respective CVE IDs, please refer to our ADManager Plus 7111 release notes here. This article explains these issues and the steps to follow to secure your ADManager Plus instance.

What is the issue?

Unrestricted file upload and path traversal vulnerabilities in ManageEngine ADManager Plus allow unauthenticated remote code execution by an attacker. As a result, an attacker can execute any code of their choice on a remote machine with administrator/system privileges, without authentication.

Whom does it affect?

All users using ADManager Plus versions below 7111.

What is the severity level of this vulnerability?

This is a critical vulnerability.

How to prevent my instance from getting compromised?

To prevent your ADManager Plus installation from getting compromised, you can either upgrade the product to the latest build, which we strongly recommend, or follow the mitigation steps.

Option 1: Update your ADManager Plus:

To update your ADManager Plus instance, download the service pack from this page and follow the instructions given on the page to install the new service pack.

Option 2: Follow these Mitigation steps:

Step 1: Disable SAML Authentication. To do this, login to your ADManager Plus console and go to Delegation → Configuration → Logon Settings → Single Sign On. Disable the 'Enable Single Sign-on with Active Directory' option and click Save.

Step 2: Stop ADManager Plus. 

Step 3: Take a backup of web.xml from ADManager Plus\webapps\adsm\WEB-INF.

Step 4: Add the below snippet in web.xml before </web-app>

<security-constraint>
<web-resource-collection>
<url-pattern>/WC/*</url-pattern>
<url-pattern>/RestAPI/SmartCard/*</url-pattern>
<url-pattern>/ADMPSmartCardConfig.do</url-pattern>
<url-pattern>/RestAPI/WC/SmartCard/*</url-pattern>
<url-pattern>/SmartCardConfig.do</url-pattern>
<url-pattern>/RestAPI/WC/NotificationTemplate/attachFiles/*</url-pattern>
<url-pattern>/ModifyUserPhoto.do</url-pattern>
<url-pattern>/RestAPI/WC/PasswordExpiryNotification/*</url-pattern>
<url-pattern>/RestAPI/WC/Personalize/*</url-pattern>
<url-pattern>/RestAPI/WC/License/*</url-pattern>
<url-pattern>/ChangeDBAPI.do</url-pattern>
<url-pattern>/servlet/ProductConfig/*</url-pattern>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>

Step 5: Start ADManager Plus.

The above mitigation steps might impact these functionalities in your instance: 
  1. Smart card configuration (Smart card authentication feature will function normally).
  2. Bulk modification of photos.
  3. Scheduler notifications in the Microsoft 365 tab.
  4. Few integration configurations.

If you need any additional information or if you face any issues in performing the recommended steps, please write to us at support@admanagerplus.com. You can also call us at +1-844-245-1108 (toll-free).
        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                  See all integrations
                  New to ADManager Plus?

                    New to ADSelfService Plus?

                    Start your free trial

                      • Related Articles

                      • How to identify and address authentication bypass vulnerability in ADManager Plus

                        An authentication bypass vulnerability affecting the REST API URLs in ManageEngine ADManager Plus has been addressed recently. This article explains the vulnerability and the steps to fix it. What is the issue? An authentication bypass vulnerability ...

                      • ADManager Plus security vulnerabilities

                        Read about ManageEngine's security policies, which extend to all its products. This page lists the recently reported security vulnerabilities related to ADManager Plus. User enumeration without authentication The Employee Search feature in ADManager ...

                      • How to enable SSO in ADManager Plus

                        ADManager Plus offers a built-in option to configure Active-Directory-based SSO to access or log in to it. This SSO option supports both NTLMv2- and SAML-based authentication. Steps to configure SSO to log in to ADManager Plus Click the Delegation ...

                      • How to install ADManager Plus in AWS

                        Steps to install ADManager Plus in Amazon Web Services EC2 instance: Logon to your Amazon Web Services (AWS) account. Select the configured EC2 instance and click the connect button. Connect to your Windows instance using: RDP client by downloading ...

                      • How to update ADManager Plus' built-in PostgreSQL database

                        Steps to update your ADManager Plus instance's PostgreSQL database Stop ADManager Plus by navigating to Start > ADManager Plus > Stop ADManager Plus. Note: If you have installed ADManager Plus as a Microsoft Windows service, stop the service by ...

                        Related Products