ManageEngine ServiceDesk Plus version 8.0 allows a user with limited privileges access to certain functionality that should only be available to administrative users. Proof of concept included.
e8ccc4a1e95942aa9e19d5eff1d90052cd550386db0397b0735cad9c2fbbea44
================================================================================
Secur-I Research Group Security Advisory [SRG-2011-002]
================================================================================
Title : ManageEngine ServiceDesk Plus Improper User Privileges Management Vulnerability
Product : ServiceDesk Plus (http://www.manageengine.com/)
Affected Version : 8.0 (Other versions could also be affected)
Fixed Version : N/A
Vunerability Impact : High
Advisory ID : SV-002
Pubished Date : 26-JUL-2011
Author : Narendra Shinde
Secur-I Research Group
http://www.securview.com/
================================================================================
Product Introduction
--------------------
ServiceDesk Plus integrates your help desk requests and assets to help you manage your IT effectively. It helps you implement ITIL best practices and troubleshoot IT service requests faster. ServiceDesk Plus is highly customizable, easy-to-implement help desk software. More than 10,000 IT managers worldwide use ServiceDesk Plus to manage their IT help desk and assets.ServiceDesk Plus is available in 23 different languages.
Source: http://www.manageengine.com/products/service-desk/
Vulnerability Information
-------------------------
Class: Improper Privilege Management [CWE-269]
Impact: Low privileged user can modify application data
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A
Vulnerability Description
-------------------------
A user with limited privileges could gain access to certain functionality that is available only to administrative users. For example, users with Guest privileges could delete backup database from the system by submitting a malicious URI to the vulnerable application. This is due to insufficient security checks on user permissions while completing the backup database deletion operation.
Proof-of-Concept
----------------
An attacker could delete the database backup for the vulnerable application using the following URI:
http://vulnserver/BackupSchedule.do?module=delete_backup&backup_ids=[ID]
By default, backup_ids start with a numeric value of 301.
Fixes/Workarounds
-----------------
Currently there is no vendor supplied fix available for this vulnerability at the time of this publication. Users are advised to limit exposure by enforcing appropriate firewall rules.
TimeLine
--------
Notification to Vendor: 11-Jul-2011
Vendor Confirmation : 14-Jul-2011
Public Disclosure : 26-Jul-2011
Thanks & Regards,
Narendra.
Confidentiality: This e-mail and any attachments may be confidential and may also be privileged. If you are not an intended named recipient, please notify the sender immediately and do not disclose the contents to another person use it for any purpose, or store or copy the information in any medium.