ManageEngine ADManager Plus 5.2 Cross Site Scripting

Type packetstorm
Reporter LiquidWorm
Modified 2012-02-07T00:00:00


ManageEngine ADManager Plus 5.2 Multiple XSS Vulnerabilities  
Vendor: Zoho Corporation Pvt. Ltd.  
Product web page:  
Affected version: 5.2  
Summary: ADManager Plus is a simple, easy-to-use Windows  
Active Directory Management and Reporting Solution that  
helps AD Administrators and Help Desk Technicians with  
their day-to-day activities.  
Desc: ADManager Plus suffers from multiple XSS vulnerabilities  
when parsing user input to the 'domainName' parameter in the  
'/jsp/AddDC.jsp' script via GET method and 'operation' parameter  
in the '/' script via POST method. Attackers can  
exploit these weaknesses to execute arbitrary HTML and script  
code in a user's browser session.  
Tested on: Microsoft Windows XP Professional SP3 (EN)  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2012-5070  
Advisory URL:  
- GET http://localhost:8080/jsp/AddDC.jsp?domainName="><script>alert('zsl')</script> HTTP/1.1  
- POST http://localhost:8080/ HTTP/1.1  
- DOMAIN_NAME=test&DOMAIN_CONTROLLER_NAME=testsrv&save=Add&operation="><script>alert('zsl')</script>&reset=