================================================================================================================================================= ADAUDIT PLUS ON-LINE DEMO TomCat Directory Listing / CSRF / Password field Submited using GET Method / OPTIONS Method ================================================================================================================================================= 08-09-2013 Security Advisory 14-09-2013 Response "The vendor has not problem with the flaws in the "demo" on line." 17-09-2013 Full Disclosure I. VULNERABILITY ------------------------- #Author:Juan Carlos García (@secnight) #Follow me Twitter:@secnight II. DESCRIPTION ------------------------- ADAuditPlus is a simple Active Directory Auditing and Reporting to helps AD Administrators and Help Desk Technicians with their day-to-day activities. With a centralized and Intuitive web-based UI, the software handles a variety of complex tasks like Bulk Management of User accounts and other AD objects, Delegate Role based access to Help Desk Technicians,and generates an exhaustive list of AD Reports, some of which are an essential requirement to satisfy Compliance Audits. This Active Directory tool also offers mobile AD apps that empower you to perform important user management tasks right from you mobile devices. Active Directory alerts and email notification Active Directory audit and compliance Active Directory audit reports Group Policy audit reports Tracking user management actions user Logon Audit Reports Reports from archive data Track user logon actions Schedule Active Directory change reports Windows Active Directory Monitoring User management audit reports GPO change auditing DISNEY, NASA, ACCENTURE OR SONY USE THIS TOOL ... III. PROOF OF CONCEPT *********************** Tomcat directory listing *************************** /adsf /adsf/js /adsf/js/common /adsf/js/common/components /adsf/js/layout /help/troubleshooting /help/welcome /images/ads /images/ads/blue /images/ads/common /images/ads/green /images/blue /images/green /js/framework /styles /styles/ads /styles/ads/blue /styles/ads/green /styles/blue /styles/green Password type input with autocomplete enabled /AddOnIntegration.do /DomainConfig.do (1200dfb30a115695f01f3ae6fa6e5189) /DomainConfig.do (62d40088a4a4be34e12f6020280f760c) /mailServerSettings.do (54cfa2363cbb4cc2c909301b43bfd2fa) /TechnicianConfiguration.do /TechnicianConfiguration.do (5e72876e52b3655fef586fdccb45295a) /ViewNetAppFilers.do (e25d53aac4030269c11d6a40e94e7d5c) CSRF HTML form without CSRF protection ************************************** Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Affected Items ------------------ /AddOnIntegration.do /Admin.do /AuditAlerts.do (6d9bb43f2bd7065990c8a1e238988260) /AuditAlerts.do (9b5f21f8edd13ce65861e348d41982e4) /AuditAlerts.do (d57a4acdd7c0798d7080b5469f62ce50) /AuditReports.do (3510295fcef2c20bcc6cd54aaa33cdbd) /AuditReports.do (e398fa07aee5eb80e16c5535ff3c16ba) /BusinessHourSettings.do (c78248309f8c1ed81177f784a0e09b5a) /clearAlertsPage.do (db53e01acc5c5e2e3ef78d3110d009a5) /clearAlertsPage.do (f562ce77d473c8c897f38a7fcff604d3) /ConfigureDiskFreeSpace.do (6fa855a47ed265b84d233dcd16d5613f) /ConfiguredPrintServers.do (97058e2da17863ded4f6e6835bb58dce) /ConfigureServiceAccounts.do /ConfigureServiceAccounts.do (e22b2f30fe810fce6c1dadca052f00d0) /CreateAlertProfile.do /CreateAuditAction.do (11d407ca4f8b52f46c90a176411b75ac) /CreateAuditAction.do (48400010ef4cf3819cd4f457bfdf60a3) /CreateMonitor.do (17e6dfe819e8c6c9b74354451458b0be) /CreateMonitor.do (1dc247ee02d117c3f6614174e4d481af) /CreateMonitor.do (2a2cdc9e48077e73dee0346269ebe1cd) /CreateMonitor.do (569f112609441a95291904481fc867f3) /CreateMonitor.do (64ace2c835c919045cbdd8149855e0db) /CreateMonitor.do (8053cb9c721c6578df46b8f2e4470f65) /CreateMonitor.do (8d7fe9d986988cc6923bbee1975b9029) /CreateMonitor.do (d4a815b7c041cb77b6f2b926c70d3d2e) /DomainConfig.do (1200dfb30a115695f01f3ae6fa6e5189) /DomainConfig.do (62d40088a4a4be34e12f6020280f760c) /Home.do /mailServerSettings.do (54cfa2363cbb4cc2c909301b43bfd2fa) /ModifyAlertProfile.do (81994df334421bb63ef0f8c7b0c6c760) /ModifyAuditAction.do (10e5263d4344a042371512536ba9b7e9) /ModifyAuditAction.do (1a920dcbf7672e515f99e1ffbce83779) /ModifyAuditAction.do (1c8d15b9f700cb8f35eea0e051372d65) /ModifyAuditAction.do (1ee29d33c136a2b67a300052b1891971) /ModifyAuditAction.do (25fffa415a11304aba6fac271dfb9d5c) /ModifyAuditAction.do (35cf2224c8f4a076f6808bca51293206) /ModifyAuditAction.do (37939d16e21e6f5080d88c7bcbe24615) /ModifyAuditAction.do (58a439b57ee4dad43d77beb8e3e6ce5c) /ModifyAuditAction.do (68d2ebe7d262e0e8ba0b0e010bf10710) /ModifyAuditAction.do (6dc19527183b9dfe0f941f26d0dadcd1) /ModifyAuditAction.do (6e606cfbb98d6f33902f3319904f1e41) /ModifyAuditAction.do (7715d20509aaf599e43124ac8f9b635c) /ModifyAuditAction.do (7dfca018bfaef68d49f5ecfb11eaa9e6) /ModifyAuditAction.do (a7495aef9b347b446727a1820df88540) /ModifyAuditAction.do (aece10082192567d9c773dcf664bfcf2) /ModifyAuditAction.do (c6e1f4c2e39f58d8a759155e1f59eed7) /ModifyAuditAction.do (d0e61de374e5e13fbc25a630cf5bd481) /ModifyAuditAction.do (daab90a90354e1c3bdea1f41a0f3e250) /ModifyAuditAction.do (e43d678ca6074adaea0d44812f2a9df9) /ModifyAuditAction.do (e76bd6ebcfde8b8fdc1dade908969334) /ModifyAuditAction.do (f1fdcf26099037782cb0b7176ac7190a) /ModifyAuditAction.do (fa8d07184095b3f3a29b88715710e646) /ModifyMonitor.do /ModifyMonitor.do (4171a9f69f4a2fb90d61f71c6398b9e2) /ModifyMonitor.do (52dd972761adec5d86c0eef9408854f4) /ModifyMonitor.do (7e0de36b06bbe4eb26a5d46f0527a42a) /ModifyMonitor.do (9f91fed51557794244c3193620ea0b31) /ModifyMonitor.do (a6373e3090c6958d8e1ad45f6dc14fe1) /ModifyMonitor.do (d4f8ae7d03d8228b70ed37d5115ef03c) /ModifyMonitor.do (f6553ef4dd6a0eb859c6e62b6dbce5fa) /ModifyMonitor.do (fb366a2ad60671cd430216fa2889cae7) /personalisePage.do (adcf13643893cacd456fccf152942a71) /personalisePage.do (bc4456082bc40e3bdaa905a17e1b447d) /personalisePage.do (ff6fec9804b285f9e6b3a7b0ff8977ad) /RestoreEventTables.do (3245de312ade81cfcd70a621b267fd38) /RestoreEventTables.do (b09edf0d6bbacf8d4e40f2ff93ab1c1a) /RestoreEventTables.do (fc2722a0def2f2e517b4f3c4e1354251) /TechnicianConfiguration.do /ViewClusters.do /ViewClusters.do (4a43a03cb9a408895f948d0e35d76e6f) /ViewClusters.do (e25d53aac4030269c11d6a40e94e7d5c) /ViewComputer.do (49c10a71f0b99ca0ef18875f423300c5) /ViewComputer.do (4f6509b9a3dfad8e03d320c5d1f6be91) /ViewComputer.do (779d05794f5407a2d47ae231e79b382d) /ViewFileServers.do /ViewFileServers.do (df22bfd067cd3804c925dffcbd3ae2c1) /ViewMonitor.do (1c1fe03c218164d638918e13959a0154) /ViewMonitor.do (227b3dcf1ad0a58d3084bbd7384b28a2) /ViewMonitor.do (2f067974903713cce4d770636117803d) /ViewMonitor.do (35c622534ec401a11e9d839b118d8fad) /ViewMonitor.do (49bb3be77dc7bce41e91a63c52343cfa) /ViewMonitor.do (4f3645a9811bd238b33697a0ef8c570d) /ViewMonitor.do (53f4e849f1284412ed68827270f9bbb6) /ViewMonitor.do (86d30b77fbcf476e4bd9648dc3bdda1a) /ViewMonitor.do (8c84d61f5561f565069f5e676ddf20d4) /ViewMonitor.do (8d7444e0eae26afeebd6d00edec14090) /ViewMonitor.do (8f3e5737a18111836c6bc96a8a127bc9) /ViewMonitor.do (95ae60c6a899c2dcdcf3f9ee3f3e9ab7) /ViewMonitor.do (9b45fe1593904e6d69905ae47607efa6) /ViewMonitor.do (af6d232105fe888409f1a622460aba94) /ViewMonitor.do (b33277701f00441f37383b2e9b8ce51f) /ViewMonitor.do (dd70bba82123b671654f0c6b03f50098) /ViewMonitor.do (de6cd669e945c9b6c924bea31c13ca62) /ViewMonitor.do (e5b1e63d45ac7a9089ceb27691f7c64c) /ViewMonitor.do (eca565d9bd367f0c6d5939cd45cf00a7) /ViewMonitor.do (f3711cf0032e486cd77376fcb4ccc1ff) /ViewMonitor.do (f9eb02946d5f2536955523d1f7cd8665) /ViewMonitor.do (fc6a074c4676998689241adbf2f63c0b) /ViewNetAppFilers.do /ViewNetAppFilers.do (e25d53aac4030269c11d6a40e94e7d5c) Password field submitted using GET method ***************************************** Vulnerability description ----------------------------- This page contains a form with a password field. This form submits user data using the GET method, therefore the contents of the password field will appear in the URL. Sensitive information should not be passed via the URL. URLs could be logged or leaked via the Referer header. Affected items ---------------------- /TechnicianConfiguration.do Attack details ------------------- form name: "TechnicianConfiguration" form action: "" password input: "password" The impact of this vulnerability ----------------------------------- Possible sensitive information disclosure. How to fix this vulnerability ------------------------------------ The password field should be submitted through POST instead of GET. IV. BUSINESS IMPACT ------------------------- DEMO = Security Flaws REAL = ¿? ( D'OH ) V SOLUTION ------------------------ Write Secure Code FOR Security Tools VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.