|Title||ManageEngine EventLog Analyzer Multiple Vulnerabilities|
|CVE||CVE-2014-7200 (XSS), CVE-2014-7201 (SQLi)|
|Product||dmmjobcontrol (Typo3 Extension)|
|By||Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)|
EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, searching, reporting, and archiving from one central location. This event log analyzer software helps to mitigate internal threats, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, regulatory compliance reports, historical trend reports, and more.
During a penetration test, multiple vulnerabilities have been identified that are based on severe design/implementation flaws in the application. It is highly recommended not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved.
|CVSS Base Score||7.8|
|CVSS v2 Vector||(AV:N/AC:L/Au:N/C:C/I:N/A:N)|
1) Unauthenticated remote code execution
ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents to send log data as zip files to the central server. Files can be uploaded without authentication and are stored/decompressed in the "data" subdirectory.
As the decompress procedure is handling the file names in the ZIP file in a insecure way it is possible to store files in the web root of server. This can be used to upload/execute code with the rights of the application server.
2) Authorization issues
The EventLog Analyzer web interface does not check if an authenticated has sufficient permissions to access certain parts of the application. A low privileged user (for example guest) can therefore access critical sections of the web interface, by directly calling the corresponding URLs. This can be used to access the database browser of the application which gives the attacker full access to the database.
The following PoC Python script can be used to download PHP files from a attacker controlled host.
1) Unauthenticated Blind SQL Injection The following PoC shows blind based SQL injection on the sector parameter, other parameters are also vulnerable http://xxxx/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bsector%5D%5B%5D=3%29and%20benchmark%2820000000%2csha1%281%29%29--%20 2) Reflected Cross Site Scripting (XSS) http://172.16.37.232/typo3/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bkeyword%5D="><script>alert(1);</script>
|05/09/2014||Reporting to the Typo3 Security team|
|05/09/2014||Response from Typo3 Security team that they received the mail|
|24/09/2014||Mail to Typo3 Security team, asking for the current status|
|25/09/2014||Response from Typo3 Security Team that they released an advisory|
|25/09/2014||Release of public advisory|
In the file: typo3conf/ext/dmmjobcontrol/pi1/class.tx_dmmjobcontrol_pi1.php
To fix the Cross Site Scripting (XSS) vulnerability, replace line 112 with the following PHP code:
$markerArray['###KEYWORD_VALUE###'] = htmlspecialchars($session['search']['keyword'], ENT_QUOTES);
To fix the SQL Injection vulnerability, replace line 257 with the following PHP code:
$whereAdd = $table.'.uid_local=tx_dmmjobcontrol_job.uid AND ('.$table.'.uid_foreign='.implode(' OR '.$table.'.uid_foreign=', intval($value)).')';
 TYPO3-EXT-SA-2014-012: Several vulnerabilities in extension JobControl (dmmjobcontrol) http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012
Advisory URL: https://www.mogwaisecurity.de/#lab
Mogwai, IT-Sicherheitsberatung Muench
89075 Ulm (Germany)