exploit the possibilities

EventLog Analyzer 9.0 Build #9000 Cross Site Scripting

EventLog Analyzer 9.0 Build #9000 Cross Site Scripting
Posted Jul 22, 2014
Authored by Andrea Bodei, Sisco Barrera, A. Tsvetkov | Site A2secure.com

EventLog Analyzer version 9.0 build #9000 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 4b1b710e11b47d76cf3b2a01d0ea9c278c0b79e7f27a9916a173ab3c04677646

EventLog Analyzer 9.0 Build #9000 Cross Site Scripting

Change Mirror Download
We discovered a vulnerability in the EventLog Analyzer web application.

Vulnerability Type: Cross-site Scripting

Original Release: June 20, 2014

Discovered by:
Security Team - A2SECURE
Artëm Tsvetkov atsvetkov@a2secure.com
Sisco Barrera sbarrera@a2secure.com
Andrea Bodei abodei@a2secure.com

Products and affected versions:
MANAGEENGINE EVENTLOG ANALYZER 9.0 build #9000

Company: A2SECURE - España
A2Secure Website: http://www.a2secure.com
Vendor Website: http://www.manageengine.com
Application Website: http://www.manageengine.com/products/eventlog/



===========================
Background
===========================

EventLog Analyzer is a Security Information and Event Management (SIEM) software. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to mitigate file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more.



===========================
Vulnerability Details
===========================

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

EventLog Analyzer should correctly filter input data using a whitelist of allowed characters, encoding, or a similar technique.


===========================
Proof of Concept
===========================

The login username parameter is vulnerable to Cross-site Scripting

Domain: https://localhost:8500
Method: POST
Path: /event/j_security_check
Parameter: j_username
Payload: "><script>alert(1);</script>



===========================
Credits / Author
===========================

Artëm Tsvetkov
www.a2secure.com



===========================
Disclaimer
===========================

All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any direct or indirect damages that might be caused by using this information.
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close