mirror of
https://github.com/0xMarcio/cve.git
synced 2025-06-19 17:30:12 +00:00
1.1 KiB
1.1 KiB
CVE-2014-6037
Description
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.
POC
Reference
- http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.html
- http://seclists.org/fulldisclosure/2014/Aug/86
- http://seclists.org/fulldisclosure/2014/Sep/1
- http://seclists.org/fulldisclosure/2014/Sep/19
- http://seclists.org/fulldisclosure/2014/Sep/20
- http://www.exploit-db.com/exploits/34519
Github
No PoCs found on GitHub currently.