ManageEngine EventLog Analyzer is prone to an arbitrary file-upload vulnerability and an unauthorized-access vulnerability.

Attackers can exploit these issues to execute arbitrary code and gain unauthorized access to the critical sections of the application.

Ask the Vendor for an update. Workaround: ---------------------------------------------------------------------- 1) Unauthenticated remote code execution If agents are not used to collect log information, access to the servlet can be disabled by commenting out the following lines in the web.xml file (webapps/event/WEB-INF/web.xml) and restart the service. <servlet> <servlet-name>agentUpload</servlet-name> <servlet-class>com.adventnet.sa.agent.UploadHandlerServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>agentUpload</servlet-name> <url-pattern>/agentUpload</url-pattern> </servlet-mapping> 2) Authorization issues No workaround, reduce the attack surface by disabling unused low privileged accounts like 'guest'.

1) Unauthenticated remote code execution ME EventLog Analyzer contains a 'agentUpload' servlet which is used by Agents to send log data as zip files to the central server. Files can be uploaded without authentication and are stored/decompressed in the 'data' subdirectory. As the decompress procedure is handling the file names in the ZIP file in a insecure way it is possible to store files in the web root of server. This can be used to upload/execute code with the rights of the application server. 2) Authorization issues The EventLog Analyzer web interface does not check if an authenticated has sufficient permissions to access certain parts of the application. A low privileged user (for example guest) can therefore access critical sections of the web interface, by directly calling the corresponding URLs. This can be used to access the database browser of the application which gives the attacker full access to the database.

EventLog Analyzer 9.9 Build 9002 and prior are vulnerable.

Upload a special crafted zip file and check if /openvas.jsp exist afterwards and contains an expected string.

• http://www.manageengine.com/products/eventlog/
• http://www.securityfocus.com/bid/69482
• https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt

---

Updated on 2015-03-25