Zoho ManageEngine Applications Manager SQL Injection Vulnerabilities
Vulnerabilities in Zoho ManageEngine Applications Manager could allow an authenticated or unauthenticated remote attacker to conduct SQL injection attacks on a targeted system.
The vulnerabilities are due to insufficient validation of user-supplied input by the affected software. An authenticated, remote attacker could exploit one of the vulnerabilities by submitting a crafted manageApplications.do?method=insert request to the affected software. An unauthenticated, remote attacker could exploit the other vulnerability by submitting a crafted manageApplications.do?method=AddSubGroup request to the affected software. A successful exploit of either or both vulnerabilities could allow the attacker to conduct a SQL injection attack on the targeted system, which could be used to conduct further attacks.
Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.
Zoho has not confirmed this vulnerability and software updates are not available.
To exploit this vulnerability, the attacker may need access to trusted or internal networks to submit crafted SQL queries to the targeted system. This access requirement could reduce the likelihood of a successful exploit.
Administrators are advised to contact the vendor regarding future updates and releases.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators can apply Snort SIDs 44921 and 44922 to help prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems.
For additional information about SQL injection attacks and defenses, see Understanding SQL Injection.
At the time of publication of this page (22/01/2018) no vendor announcements are available. And no software updates are available.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.