Zoho ManageEngine ServiceDesk Plus CVE-2017-9376 Multiple Local File Include Vulnerabilities

Zoho ManageEngine ServiceDesk Plus is prone to multiple local file include vulnerabilities because it fails to adequately validate user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
Versions prior to Zoho ManageEngine ServiceDesk Plus 9314 are vulnerable; other versions may also be affected.

Information

Bugtraq ID: 107558
Class: Input Validation Error
CVE: CVE-2017-9376

Remote: Yes
Local: No
Published: Mar 25 2019 12:00AM
Updated: Mar 25 2019 12:00AM
Credit: Paulo Monteiro and Filipe Reis
Vulnerable: Zohocorp ManageEngine ServiceDesk Plus 9.3 Build 9313
Zohocorp ManageEngine ServiceDesk Plus 9.3 Build 9312

Not Vulnerable: Zohocorp ManageEngine ServiceDesk Plus 9.3 Build 9314

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• ServiceDesk Plus 9.3 ReadMe (manageengine.co.uk)
  
• CVE-2017-9376 - ManageEngine ServiceDesk Plus Local File Inclusion (integrity.pt)
  

Source: www.securityfocus.com