SQL Injection Vulnerability FIx
Vulnerability: Blind SQL injection (unauthenticated)
Fix: Upgrade to Social IT vXXXX; OpManager vXXXX; IT360 vXXXX
Constraints: no authentication needed for OpManager and Social IT; authenticated in IT360
a)
POST /servlet/com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus?upgradeStatus=success&probeName=[SQLi]
POST /servlet/com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus?upgradeStatus=success&probeName=aaa'%3bcreate+table+bacas+(agga+text)%3b--+b)POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]
POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+c)c)POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!
POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)
Fix for the above vulnerability(compatible for 11300 and 11400)
1)Download the attached zip file and extract it under /OpManager
2)Stop and Start OpManager
Please follow the below steps for 11600
1) take a backup of web.xml from \opmanager\web-inf\ folder
2) replace the uploaded web.xml
https://uploads.zohocorp.com/Internal_Useruploads/dnd/OpManager/o_1ac9n1gh21egi152311fv1465o2g1/web.xml
3) stop and start opmanager service.
Change made in the file is:
<!--servlet-mapping>
<servlet-name>com.adventnet.me.opmanager.servlet.APMIntegBusinessViewHandler</servlet-name>
<url-pattern>/servlet/APMBVHandler</url-pattern>
</servlet-mapping-->