cbcvebase.
CVE-2014-6034
published 2014-12-04

CVE-2014-6034: Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through…

PriorityP359medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
79.48%
99.6th percentile
Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.

Affected

14 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_it360<= 10.4
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_social_it_plus

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war
path/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector
path../../../tomcat/webapps
path../../../tomcat/conf
  • Detect unauthenticated POST requests to the FileCollector servlet path containing a 'regionID' parameter with directory traversal sequences (e.g., '../') and a 'FILENAME' parameter ending in '.war'. A GET to the same servlet returning HTTP 405 indicates the endpoint is present and potentially vulnerable.
  • Alert on POST requests to '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector' where the 'regionID' query parameter contains dot-dot traversal sequences targeting Tomcat webapps or conf directories.
  • Monitor for unexpected .war file creation under the Tomcat webapps directory, especially files with random alphanumeric names, as the exploit generates a random app_base name for the payload WAR.
  • The exploit uploads a context.xml replacement to 'tomcat/conf' on a second attempt; monitor for POST requests to the FileCollector servlet with FILENAME=context.xml as an indicator of a retry/escalation attempt.
  • The vulnerability is unauthenticated on OpManager and Social IT Plus, meaning no session cookie or authentication header is required; detections should not filter on authenticated sessions for these products.
  • ·The exploit targets the default Tomcat deployment path '../../../tomcat/webapps'; if the Tomcat installation path differs from the default, the traversal depth and path in the regionID parameter will vary.
  • ·The module waits a configurable number of seconds (default 15) for WAR deployment before executing the payload; detection based on timing between upload and execution requests should account for this delay.
  • ·The server returns either HTTP 500 or HTTP 200 on a successful WAR upload to this servlet; a 500 response does NOT necessarily indicate failure and should not be used alone to rule out exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.