Multiple vulnerabilities have been discovered in ManageEngine ServiceDesk Plus, which can be exploited by malicious users to conduct script insertion attacks and bypass certain security restrictions.

1) An error in the application does not properly verify permissions before deleting a backup file.

2) Input passed via the "siteName" parameter to SiteDef.do and the "wsName" parameter to ManualNodeAddition.do is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

3) Input passed via the "fullName" parameter to TechnicianDef.do (when "module" is set to "add_tech_details_addNew") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

4) Input passed via the "groupName" parameter to GroupResourcesDef.do (when "createGroup" is set to "true") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

5) Input passed via the "agreementNumber" parameter to LicenseAgreement.do (when "operation" is set to "addagreement") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

6) Input passed via the "reqName" parameter to e.g. AddNewChange.cc is not properly sanitised in ChangeDetails.cc before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

7) Input passed via the "reqName" parameter to AddNewProblem.cc, the "organizationName" parameter to VendorDef.do, the "supportDetails", "contractName", and "comments" parameters to ContractDef.do, and the "keywords" and "comments" parameters to AddSolution.do is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation of vulnerabilities #2-7 requires the "technician" role.

8) Input passed via the "description" and "attach" parameters to WorkOrder.do and the "COMMENTS" parameter to calendar/MarkUnavailability.jsp is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation of this vulnerability requires the "requester" role.

The vulnerabilities are confirmed in version 8.0.0 Build 8015. Other versions may also be affected.

Solution
Restrict access to BackupSchedule.do e.g. using a firewall. Restrict access to trusted users only.

Provided and/or discovered by
1-5) Narendra Shinde
6-8) Gjoko 'LiquidWorm' Krstic

Changelog
Further details available to Secunia VIM customers

Original Advisory
ZSL-2011-5039:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php

Deep Links
Links available to Secunia VIM customers