===============================================================================================
ADMANAGER PLUS ON-LINE DEMO Cross Site Scripting / Directory Listing / CSRF / ClickJacking ( UI redressing )
===============================================================================================

08-09-2013 Security Advisory

14-09-2013 Response ?

"The vendor has not problem with the flaws in the "demo" on line." 

17-09-2013 Full Disclosure 


I. VULNERABILITY
-------------------------

#Title: ADMANAGER PLUS ON-LINE DEMO Cross Site Scripting / Directory Listing / CSRF / ClickJacking

#Vendor:http://demo.admanagerplus.com/ ( http://www.manageengine.com/products/ad-manager/)

#Author:Juan Carlos García (@secnight)

#Follow me 

Twitter:@secnight

II. DESCRIPTION
-------------------------

ADManager Plus is a simple, easy-to-use Windows Active Directory Management and Reporting Solution that helps AD Administrators
and Help Desk Technicians with their day-to-day activities.

With a centralized and Intuitive web-based UI, the software handles a variety of complex tasks like Bulk Management of User accounts and other AD objects,
Delegate Role based access to Help Desk Technicians,and generates an exhaustive list of AD Reports, some of which are an essential requirement to satisfy Compliance Audits. 

This Active Directory tool also offers mobile AD apps that empower you to perform important user management tasks right from you mobile devices.

What problems does it solve?

Eliminates repetitive, mundane and complex tasks associated with AD Management.

Automates routine AD Management and Reporting activities for AD Administrators.

Facilitates Creation, Management and deletion of AD objects in Bulk.

Provides 'on the move' AD user management capability through its mobile apps.

Acts as an essential resource during Compliance Audits like SOX, HIPAA, etc.


III. PROOF OF CONCEPT
-------------------------



Cross Site Scripting
****************************

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. 

An attacker can steal the session cookie and take over the account, impersonating the user.

It is also possible to modify the content of the page presented to the user. 


Steps:

Go to http://demo.admanagerplus.com

Click------> Login as administrator

In the box where it says ( right) "Search AD objects"

<script>alert("x")</script>


Response:

Search AD Objects:     " type="text" style="width:217" class="textfieldnew">         Advanced Search    Unable to Retrieve Objects



Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. 

An attacker can steal the session cookie and take over the account, impersonating the user.

It is also possible to modify the content of the page presented to the user. 


Directory listing
*******************

Vulnerability description
----------------------------
The web server is configured to display the list of files contained in this directory. 

This is not recommended because the directory may contain files that are not normally exposed through links on the web site.


Affected items
--------------

/images 
/images/ads 
/images/ads/blue 
/images/ads/common 
/images/ads/green 
/images/blue 
/images/brown 
/images/green 
/images/green/role_top_left_curve.gifsym 
/images/green/role_top_left_curve.gifsym/adsm 
/images/green/role_top_left_curve.gifsym/adsm/web 
/images/green/role_top_left_curve.gifsym/adsm/web/adsm 
/images/green/role_top_left_curve.gifsym/adsm/web/adsm/images 
/images/green/role_top_left_curve.gifsym/adsm/web/adsm/images/green 
/images/layout 


The impact of this vulnerability
--------------------------------

A user can view a list of all files from this directory possibly exposing sensitive information.

How to fix this vulnerability
------------------------------

You should make sure the directory does not contain sensitive information or you may want to restrict directory listings from the web server configuration.



CSRF (HTML form without CSRF protection)
****************************************
Vulnerability description
----------------------------

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF,
is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.


This vulnerability affects /home.do. 

Attack details
------------------
Form name: login
Form action: http://demo.admanagerplus.com/j_security_check
Form method: POST

Form inputs:

j_username [Hidden]
j_password [Hidden]
domainName [Hidden]

The impact of this vulnerability
--------------------------------
An attacker may force the users of a web application to execute actions of the attacker's choosing.
A successful CSRF exploit can compromise end user data and operation in case of normal user.
If the targeted end user is the administrator account, this can compromise the entire web application.

How to fix this vulnerability
------------------------------

Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.



Clickjacking: X-Frame-Options header missing(2)
********************************************

Vulnerability description
--------------------------

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user
into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. 

The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is 

not embedded into other sites. 

GET / HTTP/1.1
Cookie: JSESSIONID=4147AC5EADF0B8860DEF171442ABD3AA
Host: demo.admanagerplus.com


IV. BUSINESS IMPACT
*******************
DEMO = Security Flaws

REAL = ¿? (.....)

V SOLUTION
------------------------

Write Secure Code for security tools .. ( D'OH ) 


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.