![lansweeper admin user logs in to only helpdesk lansweeper admin user logs in to only helpdesk](https://s3.manualzz.com/store/data/032754441_1-064fa2eeb6becc1835c9941480407d43-595x842.png)
- LANSWEEPER ADMIN USER LOGS IN TO ONLY HELPDESK UPDATE
- LANSWEEPER ADMIN USER LOGS IN TO ONLY HELPDESK PATCH
- LANSWEEPER ADMIN USER LOGS IN TO ONLY HELPDESK SOFTWARE
- LANSWEEPER ADMIN USER LOGS IN TO ONLY HELPDESK LICENSE
LANSWEEPER ADMIN USER LOGS IN TO ONLY HELPDESK LICENSE
![lansweeper admin user logs in to only helpdesk lansweeper admin user logs in to only helpdesk](https://tweakers.net/ext/i/2002730316.jpeg)
May 28th, 2020 – NCC Group registers the associated CVE.May 19th, 2020 – Lansweeper opens a case with their development team to look into the issue.May 14th, 2020 – NCC Group reached out to Lansweeper to identify appropriate security contact.If possible, use a separate browser whose only purpose is accessing and managing the Lansweeper application.Ideally limiting access to only a small set of highly-trusted users. Restrict access to the Lansweeper management console as much as possible.
LANSWEEPER ADMIN USER LOGS IN TO ONLY HELPDESK UPDATE
Update to the latest version of Lansweeper, which at the time of writing is 8.0.130.37.In this case the user with the userid 2 has their permission set to “Administrator + Agent”. If a Lansweeper administrator browses to the above URL while authenticated to the Lansweeper application, the user specified in the userid parameter will have their privileges set to those specified in the permissionselect parameter. Which can be shorted to the following URL: Referer: X-Requested-With: XMLHttpRequestĬookie: ASP.NET_SessionId=cpa4aol20zham0xmmcjxjl2e UserSettings=language=1 custauth=username=admin&userdomain=admin Doing so results in the following: GET /configuration/HelpdeskUsers/HelpdeskusersActions.aspx?userid=4&originalvalue=&permissionselect=1&action=SELECTtblusers HTTP/1.1 This prevents several instances of traditional CSRF attacks (such as resources being loaded from image tags, or forms sending POST requests from an alternate domain).Īn attacker can bypass these protections by modifying the previous request to use the GET HTTP method instead of the POST HTTP method and changing parameters specified in the POST body to URL parameters instead. The application also protects its session cookie ( ASP.NET_SessionId) with the samesite=lax parameter. Userid=4&originalvalue=&permissionselect=2&action=SELECTtblusers Referer: Content-Type: application/x-www-form-urlencoded charset=UTF-8Ĭookie: ASP.NET_SessionId=0cz3z0ocopzt04ddvo5514fo UserSettings=language=1 custauth=username=admin&userdomain=admin POST /configuration/HelpdeskUsers/HelpdeskusersActions.aspx HTTP/1.1
![lansweeper admin user logs in to only helpdesk lansweeper admin user logs in to only helpdesk](https://images.g2crowd.com/uploads/product/image/large_detail/large_detail_c5ec4da58e57622da96b058e34899a18/lansweeper.png)
Normal usage of the application sends a POST request similar to the following when a user’s role is changed. Lansweeper allows an administrator to change the roles and permissions granted to a given application user via the /configuration/HelpdeskUsers/HelpdeskusersActions.aspx page.
LANSWEEPER ADMIN USER LOGS IN TO ONLY HELPDESK SOFTWARE
The application also encompasses a ticket based help desk system and capabilities for software updates on target devices.Īn attacker with an existing user account can elevate their privileges within the Lansweeper application. Lansweeper is an application that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes. The winners will be announced on System Administrator Appreciation Day July 30th.Versions affected: 8.0.130.17 known affected versions, others likelyĪdvisory URL / CVE Identifier: CVE-2020-13658 Starting from today until July 26, you can vote for your favorite IT Hero.įind the story you like most and vote on the voting page here.Īnd don’t hesitate to invite colleagues or friends to vote for your IT Hero as well. We would like to give all the applicants the recognition they deserve, but only 7 lucky nominees have been selected for a chance to win the title of IT Hero of the Year 2021. But people working in healthcare were definitely at the forefront, and that includes sysadmins & IT teams working for hospitals and other healthcare-related organizations.
![lansweeper admin user logs in to only helpdesk lansweeper admin user logs in to only helpdesk](https://a.fsdn.com/con/app/proj/lansweeper.s/screenshots/Lansweeper-scanning-targets.jpg)
COVID introduced us to many heroes from all walks of life. This year, as expected, the majority of the stories came from the healthcare sector. We received a record number of applications and some really great stories from IT pros around the world. The SysAdmin Day Awards 2021 is already a great success!