Arbitrary File Upload Vulnerability (CVE-2014-5005) for multiple ManageEngine Products)

Arbitrary File Upload Vulnerability (CVE-2014-5005) for multiple ManageEngine Products)

Release date:
Updated on: 2014-09-03

Affected Systems:
ManageEngine implements topcentral 8-9 build 90054
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69494
CVE (CAN) ID: CVE-2014-5005

ManageEngine is an enterprise-level IT management software, including network management, server, desktop and application management.

ManageEngine Desktop Central 7-9 build 90054 and ManageEngine Desktop Central MSP have the Arbitrary File Upload Vulnerability. Attackers can exploit this vulnerability to upload arbitrary code and run it in the context of Web server processes.

<* Source: Pedro Ribeiro
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
POST/statusUpdate? ActionToCall = LFU & amp; customerId = 1337 & amp; fileName = .. /.. /.. /.. /.. /.. /shell. jsp & amp; configDataID = 1 & lt ;... jsp shell here... & gt;

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

ManageEngine
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.manageengine.com/products/desktop-central/

This article permanently updates the link address: