[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reflected XSS Vulnerability In Manage Engine Firewall Analyzer

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Reflected XSS Vulnerability In Manage Engine Firewall Analyzer
From: kkulkarni@xxxxxxxxxxxxxxx
Date: Tue, 21 Apr 2015 19:24:00 GMT

========================================================================
=======Reflected XSS Vulnerability In Manage Engine Firewall Analyzer
========================================================================
=======

. contents:: Table Of Content

Overview
========

* Title : Reflected XSS Vulnerability in XSS In Manage Engine Firewall Analyzer
* Author: Kapil Kulkarni
* Plugin Homepage: 
https://www.manageengine.com/products/firewall/?gclid=CKH3rLyNiMUCFUQnjgodwHIA1A&gclsrc=aw.ds
 
* Severity: Low
* Version Affected: Version 8.3 Build Number:8300
* version patched: Separate Patch release for all version

Description 
===========

About the Product
=================
ManageEngine Firewall Analyzer is an agent less log analytics and configuration 
management software that helps network administrators to centrally collect, 
archive, analyze their security device logs and generate forensic reports out 
of it.
Real-time event response system and Integrated Compliance Management module of 
Firewall Analyzer automates your end point security monitoring, network 
bandwidth monitoring and security & compliance auditing. Firewall Analyzer 
eases your Device Configuration Management by providing out-of-the-box reports 
and alerts for configuration changes. Firewall Analyzer is vendor-agnostic and 
supports almost all open source and commercial network firewalls like Check 
Point, Cisco, Juniper, Fortinet, Snort, Squid Project, SonicWALL, Palo Alto and 
more, IDS/IPS, VPNs, Proxies and other related security devices


Vulnerable Parameter 
--------------------

* j_username

About Vulnerability
-------------------
This Product is vulnerable to a combination of XSS attack meaning that if an 
admin user can be tricked to visit a crafted URL created by attacker (via spear 
phishing/social engineering), the attacker can execute arbitrary code into 
login page. Once exploited, admin?s browser can be made to do almost anything 
the admin user could typically do by hijacking admin's cookies etc.

Vulnerability Class
=================== 
Cross Site Scripting 
(https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XS
S)

Steps to Reproduce: (POC)
=========================
1. After Setting up Manage engine navigate to its user interface

2. Use this payload in Username field

#####payload To Use#######################
"><script>alert(document.cookie)</script>
##########################################

3. And see the XSS in action.

#Live Poc URL
http://2.bp.blogspot.com/-tR6Sj42AU3U/VTah88edXnI/AAAAAAAABMo/N8DjRQorso4/s1600/poc_xss.JPG
 
http://kapil-hackertutorials.blogspot.in/ 

Mitigation 
==========
Follow the below steps to fix the issue:
Please find the fix for XSS vulnerabilities:

1. Stop the FWA service.

2. Download the fix and extract it:

This would contain 7 fix folders and 1 additional folder:

?       FWA Home - conf    (1 file)
?       FWA Home - lib   (8 files)
?       FWA Home - lib - resources   (2 files)
?       FWA Home - webapps - fw - images    (1 file)
?       FWA Home - webapps - fw - javascript    (2 files)
?       FWA Home - webapps - fw - styles     (1 file)
?       FWA Home - webapps - fw - WEB-INF    (2 files)
and

?       Screen-shot folder
// The last additional folder containing screen-shots for your reference 
explaining "what files have to be placed / replaced?" and "Where?" //
  
3. Now place or replace the files as per the screen-shots from the above 7 
folders to their respective locations as instructed below:


Location        Files which has to be newly placed      Files which has to be 
replaced 
(A similar would be there in this 
location , just replace it)
C:\ManageEngine\Firewall\conf   
antisamy-fwa-policy.xml -
C:\ManageEngine\Firewall\lib    
antisamy-1.5.3
batik-css.jar
nekohtml.jar
ss_css2.jar
xercesImpl.jar
xml-apis.jar    FirewallAnalyzerJSP.jar
LogAnalyzerClient.jar
C:\ManageEngine\Firewall\lib\resources  -       
MessageResources.prop
MessageResources_JS_en_US.prop
C:\ManageEngine\Firewall\webapps\fw\images      
errorpage.png   -
C:\ManageEngine\Firewall\webapps\fw\javascript  -       
FAUtil.js
PolicyReport.js
C:\ManageEngine\Firewall\webapps\fw\styles      -       
newTheme.css
C:\ManageEngine\Firewall\webapps\fw\WEB-INF     -       
struts-config.xml
web.xml

 // C:\ManageEngine\Firewall is referred as <FWA Home> i.e. Default FWA 
installation folder //

4. Start the FWA service.

This should fix the vulnerability issues. 
Change Log
==========

Disclosure 
==========
23-March-2015 Reported to Developer
28-February-2015 Acknowledgement from Developer
04-April-2015 Fixed by developer
05-April-2015 Requested a CVE ID 
22-April-2015 Public Disclosed 
credits
=======
* Kapil Kulkarni 
* Information Security Testing
* ControlCase International Pvt Ltd. 
* https://www.facebook.com/kapil.kulkarni.587
*https://in.linkedin.com/pub/kapil-kulkarni-c-eh/63/337/5a3

Prev by Date: Stored Cross Site Scripting Vulnerability in Add Link to Facebook WordPress Plugin
Next by Date: Reflected XSS Vulnerability In Manage Engine Event Log Analyzer
Previous by thread: Stored Cross Site Scripting Vulnerability in Add Link to Facebook WordPress Plugin
Next by thread: Reflected XSS Vulnerability In Manage Engine Event Log Analyzer
Index(es):
- Date
- Thread