ManageEngine Security Manager Plus 5.5 SQL Injection

ManageEngine Security Manager Plus versions 5.5 build 5505 remote SYSTEM/root SQL injection exploit that spawns a shell.

ManageEngine offers simple, easy-to-use IT Management products at a price that every business can afford. It is thoughtfully built with SMBs in mind and eventually scales for large businesses. The ManageEngine 90-10 promise gets you 90% of the features of the Big 4 at 10% of the price.

Vulnerability : The SQL injection is possible on the "Advanced Search", the input is not validated correctly. To make it even worse, # the search can be accessed without any authentication. Security Manager Plus also has to run as root or SYSTEM user, # which makes a remote shell with root/SYSTEM privileges possible....

Published by:

CWZ's picture

Name
Reza Rafati

Information
I am the founder of Cyberwarzone.com and I focus on sharing and collecting relevant cyberconflict news., The goal of Cyberwarzone is to provide the world a portal with global cyberwar information. The effort in getting this cyberwarfare information is hard. But as the internet is growing we need to get an global cyberwar & cybercrime monitoring system., By the people and for the people. We will be gathering information about Cybercrime, Cyberwarfare and hacking. LinkedIn: http://www.linkedin.com/pub/reza-rafati-%E2%99%82/1a/98b/197

Country
The Netherlands

My website
Cyberwarzone.com

Twitter:
http://twitter.com/#!/cyberwarzonecom