PGSQL:SubmitQuery.do vulnerability (CVE-2015-7765, CVE-2015-7766)

PGSQL:SubmitQuery.do vulnerability (CVE-2015-7765, CVE-2015-7766)

http://seclists.org/fulldisclosure/2015/Sep/66

Vulnerability Detail:

Any account that has access to the web interface with Administrator rights has the possibility to use a web form to execute SQL queries on the backend PostgreSQL instance. By default restrictions apply and queries that start with INSERT/UPDATE/DELETE are not allowed to be executed, this is however very easy to bypass by using something like "INSERT/**/INTO...". The "/**/" comment will create a space and the function is not detected by OpManager and thus executed.

Solution:

Download the patch in the below link (zip file)

https://uploads.zohocorp.com/Internal_Useruploads/dnd/OpManager/o_19qvi2v4k4e21k1o1j7ita3csp1/Submit-Query-Fix.zip

Steps
  • Stop OpManager
  • Extract downloaded zip file under OpManager home
  • Start OpManager

P.S: This patch is compatible for 11500 and 11600 builds

"IntegrationUser"  vulnerability Detail

ManageEngine OpManager ships with a default account "IntegrationUser" with
the password "plugin". This account is hidden from the user interface and
will never show up in the user management. Also changing the password for
this account is not possible by default. The account however is assigned
Administrator privileges and logging in with this account is possible via
the web interface.

Solution:

Download the patch(compatible for 11600 build) from the below link

https://uploads.zohocorp.com/Internal_Useruploads/dnd/OpManager/o_1a0224kib1ca71rph192016tsvvn1/SecurityPatch.zip

Steps:
  • Extract the SecurityPatch.zip file under \OpManager folder.
  • Shutdown OpManager service
  • Run UpdatePatch.bat file under OpManager\SecurityPatch folder 
  • Start OpManager service
"IntegrationUser" user will be deleted from the DB. 

P.S : Please make sure the plugins are in the latest builds.

          • Related Articles

          • CVE-2014-7866 : Fix for Remote code execution via file upload vulnerability

            Details of Vulnerability: Vulnerability: Remote code execution via file upload (unauthenticated  on OpManager and Social IT)  CVE-2014-7866  Constraints: no authentication needed for OpManager and Social IT;  authenticated in IT360  a)  POST ...
          • HTTP Server Prone To Slow Denial Of Service Attack(CVE-2007-6750 CVE-2012-5568)

            Few third party vulnerability scanning tools has reported that OpManager has this DOS vulnerability CVE-2007-6750 CVE-2012-5568. TOMCAT developers have mentioned that it is not a vulnerability in TOMCAT and they don't have the plans to to fix it. ...
          • Poodle Vulnerability CVE-2014-3566

            POODLE, which stands for Padding Oracle on Downloaded Legacy Encryption, makes it possible for hackers to snoop on a user’s web browsing. The problem is an 18-year-old encryption standard, known as SSL v3, which is still used by older browsers like ...
          • Servlet Vulnerability Fix

            This fix is compatible only for build 11300(OpManager and Social IT Plus).  Please follow these steps. 1)Download the attached zip file and extract it under /OpManager 2)Stop and Start OpManager Note: This zip file contains the fix for these ...
          • SQL Injection Vulnerability FIx

            Vulnerability: Blind SQL injection (unauthenticated) Fix: Upgrade to Social IT vXXXX; OpManager vXXXX; IT360 vXXXX Constraints: no authentication needed for OpManager and Social IT; authenticated in IT360 a) POST ...