ManageEngine DesktopCentral Arbitrary File Upload Vulnerability Network Vulnerability

Summary

This host is running ManageEngine DesktopCentral and is prone to arbitrary file upload vulnerability.

Impact

Successful exploitation will allow an attacker to gain arbitrary code execution on the server. Impact Level: System/Application

Solution

Apply the patch supplied by the vendor (Patch 80293), http://www.manageengine.com/products/desktop-central

Insight

The flaw in the AgentLogUploadServlet. This servlet takes input from HTTP POST and constructs an output file on the server without performing any sanitisation or even checking if the caller is authenticated.

Affected

ManageEngine DesktopCentral 8.0.0 (build 80293 and below)

Detection

Send a crafted exploit string via HTTP POST request and check whether it is able to create the file or not.

References

http://security-assessment.com/files/documents/advisory/DesktopCentral%20Arbitrary%20File%20Upload.pdf
http://www.exploit-db.com/exploits/29674

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adobe ColdFusion Information Disclosure Vulnerability
Adobe ColdFusion Components (CFC) Denial Of Service Vulnerability
Admin Bot 'news.php' SQL Injection Vulnerability
68designs 68kb Multiple Remote File Include Vulnerabilities
aflog Cookie-Based Authentication Bypass Vulnerability

Take action and discover your vulnerabilities