PT-2011-13: Privilege Gaining in ManageEngine ServiceDesk Plus 8.0.0

Vulnerable software

ManageEngine ServiceDesk Plus
Version: 8.0 (8026) and earlier

Application link:
http://www.servicedeskplus.com

Severity level

Severity level: Medium
Impact: ServiceDesk Administrator Privilege Gaining
Access Vector: Network exploitable 

CVSS v2:
Base Score: 6.5
Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVE: not assigned

Software description

ManageEngine ServiceDesk Plus is a technical support and assests management system.

Vulnerability description

The specialists of the Positive Research center have revealed privilege gaining vulnerability in ManageEngine ServiceDesk Plus.

Insufficient privilege validation allows attackers with guest privileges (account guest/guest) to create a user with servicedesk administrator privileges via HTTP GET request.

How to fix

Update your software up to the latest version

Advisory status

24.06.2011 - Vendor is notified
28.06.2011 - Vendor gets vulnerability details
29.03.2012 - Vendor releases fixed version and details
23.04.2012 - Public disclosure

Credits

The vulnerability was discovered by Alexander Zaitsev, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2011-13

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/