exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PasswordManager Pro 6.1 Script Injection

PasswordManager Pro 6.1 Script Injection
Posted Dec 15, 2009
Authored by Stefan Friedli | Site scip.ch

PasswordManager Pro version 6.1 suffers from a script injection vulnerability.

tags | advisory
SHA-256 | 97a0692fe921ee6828b4f509b527f663ac5568530560b276cdbfd024d50bca26

PasswordManager Pro 6.1 Script Injection

Change Mirror Download
PasswordManager Pro 6.1 Script Injection Vulnerability
scip AG Vulnerability ID 4063 (12/15/2009)


"Password Manager Pro is a secure vault for storing and managing shared
sensitive information such as passwords, documents and digital
identities of enterprises."

More information is available on the official product web site at the
following URL[1]:



Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.

The processing method for the search function fails to perform proper
input validation on the data that is being submitted via HTTP GET. The
parameter "searchtext" lacks validation and is therefore vulnerable to
script injection. While there is a basic input filterting method in
place, it fails to detect more advanced (e.g. encoded) payloads.
Other parts of the application might be affected too.

This vulnerability has been tested on version 6.1, other versions might
be affected as well.


Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
"script", "javascript", "alert" or similar. However, we consider this to
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.

Exploitation can be performed using any medium, that is able to perform
a GET request. Under certain circumstances, it is even possible to
attack unauthenticated user, as the payload will be kept in the users
session until authentication data has been entered.

We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.


Impact of the vulnerability depends on the stored data. PMP is often
used for corporate password management and contains highly sensitive
information. Therefore, a high amount of damage might be caused by
successful exploitation and follow-up attacks.


Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.


Move to version 6104 or after


The issue is due to the filter applying case sensitive checks to the
attack strings and the situation of such a string with different cases
of characters was not handled. (09.12.2009; ManageEngine)


scip AG - Security Consulting Information Process (german)

scip AG Vulnerability Database (german)


2009/09/28 Identification of the vulnerability
2009/10/-- ManageEngine supplies hotfix for affected customer
2009/12/07 scip AG starts public disclosure process by informing
2009/12/07 ManageEngine acknowledges vulnerability and disclosure
2009/12/09 ManageEngine announces patch within 5 days, sends official
vendor response statement
2009/12/15 ManageEngine releases official patch
2009/12/15 scip AG releases public advisory


The vulnerabilities were discovered by Stefan Friedli.

Stefan Friedli, scip AG, Zuerich, Switzerland


[1] PMP Official Vendor Information, ManageEngine

[2] PMP Update


Copyright (c) 2002-2009 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.

Stefan Friedli | stfr@scip.ch
scip AG | Badenerstrasse 551 | 8048 Zurich T +41 44 404 13 13 | F +41 44
404 13 14
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By