CVE-2014-7866
published 2014-12-10CVE-2014-7866: Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
79.76%
99.6th percentile
Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_it360 | — | — |
| zohocorp | manageengine_it360 | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_social_it_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00↗
- →Detect directory traversal attempts targeting the MigrateLEEData servlet via the 'fileName' parameter containing '../' sequences, especially with a null byte (%00) to bypass extension checks. ↗
- →Detect directory traversal attempts targeting the MigrateCentralData servlet via the 'zipFileName' parameter in a 'downloadFileFromProbe' operation, containing '../' sequences and null byte (%00). ↗
- →Alert on POST requests to /servlet/MigrateLEEData or /servlet/MigrateCentralData containing dot-dot sequences ('..') in query string parameters, indicative of path traversal exploitation. ↗
- →Monitor for WAR file uploads (files ending in .war) being written to Tomcat webapps directories via traversal paths, which would indicate successful remote code execution staging. ↗
- →This vulnerability is unauthenticated on OpManager and Social IT Plus, so no session/auth token is required — alert on traversal payloads from unauthenticated sessions to these endpoints. ↗
- ·The null byte (%00) in the fileName/zipFileName parameter is used to truncate the filename and bypass server-side extension validation — detection rules must account for URL-encoded null bytes in these parameters. ↗
- ·Affected version range is imprecisely known; at minimum OpManager v8 build 88XX through 11.4, IT360 10.3/10.4, and Social IT 11.0 are confirmed vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
exploitdb·2014-11-10·CVSS 7.5
CVE-2014-7868 [HIGH] ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last
updated: 09/11/2014
>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure
management software that helps large enterprises, service providers
and SMEs manage their data centers and IT infrastructure efficiently
and cost effectively. Automated workflows, intelligent alerting
engines, configurable discovery rules, and extendable templates enable
IT teams to setup a 24x7 monitoring system within hours of
installation."
"Social IT Plus off
Exploit-DB
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
exploitdb·2014-11-09·CVSS 5.0
CVE-2014-7868 [MEDIUM] ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014
>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation."
"Social IT Plus off
No writeups or analysis indexed.
http://packetstormsecurity.com/files/129037/ManageEngine-OpManager-Social-IT-Plus-IT360-File-Upload-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Nov/21http://www.securityfocus.com/archive/1/533946/100/0/threadedhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txthttps://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerabilityhttp://packetstormsecurity.com/files/129037/ManageEngine-OpManager-Social-IT-Plus-IT360-File-Upload-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Nov/21http://www.securityfocus.com/archive/1/533946/100/0/threadedhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txthttps://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability
2014-12-10
Published