ManageEngine Firewall Analyzer 8.5 SP-5.0 Multiple XSS Vulnerabilities
Title: ManageEngine Firewall Analyzer 8.5 SP-5.0 Multiple XSS Vulnerabilities
Advisory ID: ZSL-2016-5307
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 23.02.2016
[29.01.2016] Vendor contacted.
[01.02.2016] Vendor responds asking more details.
[01.02.2016] Sent details to the vendor.
[02.02.2016] Vendor security team looking into the issues.
[12.02.2016] Asked vendor for status update.
[15.02.2016] Vendor states that this was forwarded to R&D team and will be fixed in next release.
[15.02.2016] Asked vendor to provide more information about the release date and patch version.
[23.02.2016] Vendor released version 12 that fixes these issues and separate upgrade for 8.5 will be available in couple of months time.
[23.02.2016] Coordinated public security advisory released.
[2] https://packetstormsecurity.com/files/135931
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/111009
[24.02.2016] - Added reference [1]
[25.02.2016] - Added reference [2]
[29.02.2016] - Added reference [3]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5307
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 23.02.2016
Summary
ManageEngine Firewall Analyzer is an agent-less log analytics and configuration management software that helps network administrators to centrally collect, archive, analyze their security device logs and generate forensic reports out of it.Description
Firewall Analyzer suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.Vendor
Zoho Corporation Pvt. Ltd. - https://www.manageengine.comAffected Version
8.5 SP-5.0 (Build 8500)Tested On
Apache-Coyote/1.1Vendor Status
[26.01.2016] Vulnerabilities discovered.[29.01.2016] Vendor contacted.
[01.02.2016] Vendor responds asking more details.
[01.02.2016] Sent details to the vendor.
[02.02.2016] Vendor security team looking into the issues.
[12.02.2016] Asked vendor for status update.
[15.02.2016] Vendor states that this was forwarded to R&D team and will be fixed in next release.
[15.02.2016] Asked vendor to provide more information about the release date and patch version.
[23.02.2016] Vendor released version 12 that fixes these issues and separate upgrade for 8.5 will be available in couple of months time.
[23.02.2016] Coordinated public security advisory released.
PoC
fwanalyzer_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2016020209[2] https://packetstormsecurity.com/files/135931
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/111009
Changelog
[23.02.2016] - Initial release[24.02.2016] - Added reference [1]
[25.02.2016] - Added reference [2]
[29.02.2016] - Added reference [3]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk