Community and Support

            SQL Injection Vulnerability FIx


            Vulnerability: Blind SQL injection (unauthenticated)

            Fix: Upgrade to Social IT vXXXX; OpManager vXXXX; IT360 vXXXX

            Constraints: no authentication needed for OpManager and Social IT; authenticated in IT360

            a)

            POST /servlet/com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus?upgradeStatus=success&probeName=[SQLi]

            POST /servlet/com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus?upgradeStatus=success&probeName=aaa'%3bcreate+table+bacas+(agga+text)%3b--+

            b)

            POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]

            POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+ 


            c)c)

            POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!

            POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)


            Fix for the above vulnerability(compatible for 11300 and 11400)

            1)Download the attached zip file and extract it under /OpManager

            2)Stop and Start OpManager


            Please follow the below steps for 11600

            1) take a backup of web.xml from \opmanager\web-inf\ folder

            2) replace the uploaded web.xml 

            https://uploads.zohocorp.com/Internal_Useruploads/dnd/OpManager/o_1ac9n1gh21egi152311fv1465o2g1/web.xml

            3) stop and start opmanager service.

            Change made in the file is:

            <!--servlet-mapping> 
            <servlet-name>com.adventnet.me.opmanager.servlet.APMIntegBusinessViewHandler</servlet-name> 
            <url-pattern>/servlet/APMBVHandler</url-pattern> 
            </servlet-mapping-->

            Updated: 24 Feb 2016 05:26 AM
            Helpful?  
            Help us to make this article better
            0 0