Short Name |
HTTP:DIR:MANAGEENGINE-DIR-TRAV |
---|---|
Severity |
Major |
Recommended |
Yes |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
ManageEngine ServiceDesk DownloadSnapshotServlet Directory Traversal |
Release Date |
2018/01/16 |
Update Number |
3026 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects attempts to exploit a known vulnerability in ManageEngine ServiceDesk for Microsoft Windows. Successful exploitation results in the disclosure of arbitrary file contents from the target server.
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.