PT-2011-10: Abritrary Files Loading in ManageEngine ServiceDesk Plus 8.0
ManageEngine ServiceDesk Plus
Version: 8.0 and earlier
Severity level: High
Impact: Arbitrary Code Execution
Access Vector: Remote
Base Score: 8.5
CVE: not assign
ManageEngine ServiceDesk Plus is a technical support and assests management system.
The specialists of the Positive Research center have detected "Abritrary Files Loading" vulnerability in ManageEngine ServiceDesk Plus.
Insufficient CSV file input filtering in user import script allows attackers with guest privileges (account guest/guest) overwrite an arbitrary file in bin folder in ServiceDesk application via TP POST request. This vulnerability allows attackers to overwrite the script that starts and stops applciations that lead to arbitrary code execution as application is started or stopped.
How to fix
Update your software up to the latest version
24.06.2011 - Vendor is notified
28.06.2011 - Vendor gets vulnerability details
23.04.2012 - Vendor releases fixed version and details
13.09.2012 - Public disclosure
The vulnerability has discovered by Alexander Zaitsev, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Research: