Title: Manage Engine Applications Manager 12 Multiple Vulnerabilities
Advisory ID: ZSL-2016-5292
Type: Local/Remote
Impact: Cross-Site Scripting, Privilege Escalation
Risk: (3/5)
Release Date: 13.01.2016

Summary

ManageEngine Applications Manager is an application performance monitoring solution that proactively monitors business applications and help businesses ensure their revenue-critical applications meet end user expectations. Applications Manager offers out-of-the-box monitoring support for 50+ applications and servers..

Description

Applications Manager suffers from multiple vulnerabilities including XSS, CSRF and Privilege Escalation.

Vendor

Zoho Corporation Pvt. Ltd. - https://www.manageengine.com

Affected Version

12

Tested On

Apache-Coyote/1.1
PostgreSQL

Vendor Status

[22.10.2015] Contact with the vendor.
[23.10.2015] Vendor responded asking for details.
[23.10.2015] Advisory and details sent to vendor.
[03.11.2015] Follow up with the vendor. No response received.
[06.11.2015] Second follow up with the vendor. No response received.
[22.12.2015] Final follow up with the vendor. No response received.
[13.01.2016] Public security advisory released.

PoC

app_mgr_mv.txt

Credits

Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>

References

[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5291.php
[2] https://cxsecurity.com/issue/WLB-2016010085
[3] https://www.exploit-db.com/exploits/39235/
[4] https://packetstormsecurity.com/files/135254

Changelog

[13.01.2016] - Initial release
[14.01.2016] - Added reference [2] and [3]
[16.01.2016] - Added reference [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk