Missing Function Level Access control Vulnerability in OPutils

Posted On // Leave a Comment

Missing Function Level Access control Vulnerability in OPutils

Overview
======
Title:- Missing Function Level Access control Vulnerability in ManageEngine OpUtils
Author: Kaustubh G. Padwad
Vendor: ZOHO Corp
Product: OPUTILS
Tested Version: : OPUTILS 8.0
Severity: Medium

Advisory ID
=======
2016-06-Manage_Engine

About the Product:
===========
OpUtils is a Switch Port & IP Address Management software that helps network engineers manage their Switches and IP Address Space with ease. With its comprehensive set of 30+ tools, it helps them to perform network monitoring tasks like detecting a rogue device intrusion, keep a check on bandwidth usage, monitoring availability of critical devices, backing up Cisco configuration files and more.

Description: 
=======
This Missing Function Level Access Control vulnerability enables an Normal user to execute the Adinisitative Task.

Vulnerability Class:
============
2013-A7-Missing Function Level Access Control https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Ac
cess_Control

Mitigation
==========
Upgrade to NextService Pack

Disclosure: 
===========
04-Feb-2016 Repoerted to vendor
11-Feb-2016 Fixed By Vendor

credits:
=====
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh (at) me (dot) com [email concealed]
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad