Adaudit Plus Online Demo CSRF / Poor Password Passing

`=================================================================================================================================================  
ADAUDIT PLUS ON-LINE DEMO TomCat Directory Listing / CSRF / Password field Submited using GET Method / OPTIONS Method  
=================================================================================================================================================  
  
  
08-09-2013 Security Advisory  
  
14-09-2013 Response   
  
"The vendor has not problem with the flaws in the "demo" on line."  
  
17-09-2013 Full Disclosure   
  
  
I. VULNERABILITY  
-------------------------  
  
#Author:Juan Carlos García (@secnight)  
  
#Follow me   
  
Twitter:@secnight  
  
II. DESCRIPTION  
-------------------------  
  
ADAuditPlus is a simple Active Directory Auditing and Reporting to helps AD Administrators and Help Desk Technicians with their day-to-day activities.  
  
With a centralized and Intuitive web-based UI, the software handles a variety of complex tasks like Bulk Management of User accounts and other AD objects,  
Delegate Role based access to Help Desk Technicians,and generates an exhaustive list of AD Reports, some of which are an essential requirement to satisfy Compliance Audits.   
  
This Active Directory tool also offers mobile AD apps that empower you to perform important user management tasks right from you mobile devices.  
  
Active Directory alerts and email notification  
Active Directory audit and compliance   
Active Directory audit reports  
Group Policy audit reports  
Tracking user management actions  
user Logon Audit Reports  
Reports from archive data   
Track user logon actions   
Schedule Active Directory change reports  
Windows Active Directory Monitoring User management audit reports GPO change auditing  
  
  
DISNEY, NASA, ACCENTURE OR SONY USE THIS TOOL ...   
  
  
III. PROOF OF CONCEPT  
***********************  
  
Tomcat directory listing   
***************************  
  
/adsf  
/adsf/js  
/adsf/js/common  
/adsf/js/common/components  
/adsf/js/layout  
/help/troubleshooting  
/help/welcome  
/images/ads  
/images/ads/blue  
/images/ads/common  
/images/ads/green  
/images/blue  
/images/green  
/js/framework  
/styles  
/styles/ads  
/styles/ads/blue  
/styles/ads/green  
/styles/blue  
/styles/green  
Password type input with autocomplete enabled  
/AddOnIntegration.do  
/DomainConfig.do (1200dfb30a115695f01f3ae6fa6e5189)  
/DomainConfig.do (62d40088a4a4be34e12f6020280f760c)  
/mailServerSettings.do (54cfa2363cbb4cc2c909301b43bfd2fa)  
/TechnicianConfiguration.do  
/TechnicianConfiguration.do (5e72876e52b3655fef586fdccb45295a)  
/ViewNetAppFilers.do (e25d53aac4030269c11d6a40e94e7d5c)  
  
  
CSRF HTML form without CSRF protection  
**************************************  
  
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF,  
is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.  
  
Affected Items  
------------------  
  
  
/AddOnIntegration.do  
/Admin.do  
/AuditAlerts.do (6d9bb43f2bd7065990c8a1e238988260)  
/AuditAlerts.do (9b5f21f8edd13ce65861e348d41982e4)  
/AuditAlerts.do (d57a4acdd7c0798d7080b5469f62ce50)  
/AuditReports.do (3510295fcef2c20bcc6cd54aaa33cdbd)  
/AuditReports.do (e398fa07aee5eb80e16c5535ff3c16ba)  
/BusinessHourSettings.do (c78248309f8c1ed81177f784a0e09b5a)  
/clearAlertsPage.do (db53e01acc5c5e2e3ef78d3110d009a5)  
/clearAlertsPage.do (f562ce77d473c8c897f38a7fcff604d3)  
/ConfigureDiskFreeSpace.do (6fa855a47ed265b84d233dcd16d5613f)  
/ConfiguredPrintServers.do (97058e2da17863ded4f6e6835bb58dce)  
/ConfigureServiceAccounts.do  
/ConfigureServiceAccounts.do (e22b2f30fe810fce6c1dadca052f00d0)  
/CreateAlertProfile.do  
/CreateAuditAction.do (11d407ca4f8b52f46c90a176411b75ac)  
/CreateAuditAction.do (48400010ef4cf3819cd4f457bfdf60a3)  
/CreateMonitor.do (17e6dfe819e8c6c9b74354451458b0be)  
/CreateMonitor.do (1dc247ee02d117c3f6614174e4d481af)  
/CreateMonitor.do (2a2cdc9e48077e73dee0346269ebe1cd)  
/CreateMonitor.do (569f112609441a95291904481fc867f3)  
/CreateMonitor.do (64ace2c835c919045cbdd8149855e0db)  
/CreateMonitor.do (8053cb9c721c6578df46b8f2e4470f65)  
/CreateMonitor.do (8d7fe9d986988cc6923bbee1975b9029)  
/CreateMonitor.do (d4a815b7c041cb77b6f2b926c70d3d2e)  
/DomainConfig.do (1200dfb30a115695f01f3ae6fa6e5189)  
/DomainConfig.do (62d40088a4a4be34e12f6020280f760c)  
/Home.do  
/mailServerSettings.do (54cfa2363cbb4cc2c909301b43bfd2fa)  
/ModifyAlertProfile.do (81994df334421bb63ef0f8c7b0c6c760)  
/ModifyAuditAction.do (10e5263d4344a042371512536ba9b7e9)  
/ModifyAuditAction.do (1a920dcbf7672e515f99e1ffbce83779)  
/ModifyAuditAction.do (1c8d15b9f700cb8f35eea0e051372d65)  
/ModifyAuditAction.do (1ee29d33c136a2b67a300052b1891971)  
/ModifyAuditAction.do (25fffa415a11304aba6fac271dfb9d5c)  
/ModifyAuditAction.do (35cf2224c8f4a076f6808bca51293206)  
/ModifyAuditAction.do (37939d16e21e6f5080d88c7bcbe24615)  
/ModifyAuditAction.do (58a439b57ee4dad43d77beb8e3e6ce5c)  
/ModifyAuditAction.do (68d2ebe7d262e0e8ba0b0e010bf10710)  
/ModifyAuditAction.do (6dc19527183b9dfe0f941f26d0dadcd1)  
/ModifyAuditAction.do (6e606cfbb98d6f33902f3319904f1e41)  
/ModifyAuditAction.do (7715d20509aaf599e43124ac8f9b635c)  
/ModifyAuditAction.do (7dfca018bfaef68d49f5ecfb11eaa9e6)  
/ModifyAuditAction.do (a7495aef9b347b446727a1820df88540)  
/ModifyAuditAction.do (aece10082192567d9c773dcf664bfcf2)  
/ModifyAuditAction.do (c6e1f4c2e39f58d8a759155e1f59eed7)  
/ModifyAuditAction.do (d0e61de374e5e13fbc25a630cf5bd481)  
/ModifyAuditAction.do (daab90a90354e1c3bdea1f41a0f3e250)  
/ModifyAuditAction.do (e43d678ca6074adaea0d44812f2a9df9)  
/ModifyAuditAction.do (e76bd6ebcfde8b8fdc1dade908969334)  
/ModifyAuditAction.do (f1fdcf26099037782cb0b7176ac7190a)  
/ModifyAuditAction.do (fa8d07184095b3f3a29b88715710e646)  
/ModifyMonitor.do  
/ModifyMonitor.do (4171a9f69f4a2fb90d61f71c6398b9e2)  
/ModifyMonitor.do (52dd972761adec5d86c0eef9408854f4)  
/ModifyMonitor.do (7e0de36b06bbe4eb26a5d46f0527a42a)  
/ModifyMonitor.do (9f91fed51557794244c3193620ea0b31)  
/ModifyMonitor.do (a6373e3090c6958d8e1ad45f6dc14fe1)  
/ModifyMonitor.do (d4f8ae7d03d8228b70ed37d5115ef03c)  
/ModifyMonitor.do (f6553ef4dd6a0eb859c6e62b6dbce5fa)  
/ModifyMonitor.do (fb366a2ad60671cd430216fa2889cae7)  
/personalisePage.do (adcf13643893cacd456fccf152942a71)  
/personalisePage.do (bc4456082bc40e3bdaa905a17e1b447d)  
/personalisePage.do (ff6fec9804b285f9e6b3a7b0ff8977ad)  
/RestoreEventTables.do (3245de312ade81cfcd70a621b267fd38)  
/RestoreEventTables.do (b09edf0d6bbacf8d4e40f2ff93ab1c1a)  
/RestoreEventTables.do (fc2722a0def2f2e517b4f3c4e1354251)  
/TechnicianConfiguration.do  
/ViewClusters.do  
/ViewClusters.do (4a43a03cb9a408895f948d0e35d76e6f)  
/ViewClusters.do (e25d53aac4030269c11d6a40e94e7d5c)  
/ViewComputer.do (49c10a71f0b99ca0ef18875f423300c5)  
/ViewComputer.do (4f6509b9a3dfad8e03d320c5d1f6be91)  
/ViewComputer.do (779d05794f5407a2d47ae231e79b382d)  
/ViewFileServers.do  
/ViewFileServers.do (df22bfd067cd3804c925dffcbd3ae2c1)  
/ViewMonitor.do (1c1fe03c218164d638918e13959a0154)  
/ViewMonitor.do (227b3dcf1ad0a58d3084bbd7384b28a2)  
/ViewMonitor.do (2f067974903713cce4d770636117803d)  
/ViewMonitor.do (35c622534ec401a11e9d839b118d8fad)  
/ViewMonitor.do (49bb3be77dc7bce41e91a63c52343cfa)  
/ViewMonitor.do (4f3645a9811bd238b33697a0ef8c570d)  
/ViewMonitor.do (53f4e849f1284412ed68827270f9bbb6)  
/ViewMonitor.do (86d30b77fbcf476e4bd9648dc3bdda1a)  
/ViewMonitor.do (8c84d61f5561f565069f5e676ddf20d4)  
/ViewMonitor.do (8d7444e0eae26afeebd6d00edec14090)  
/ViewMonitor.do (8f3e5737a18111836c6bc96a8a127bc9)  
/ViewMonitor.do (95ae60c6a899c2dcdcf3f9ee3f3e9ab7)  
/ViewMonitor.do (9b45fe1593904e6d69905ae47607efa6)  
/ViewMonitor.do (af6d232105fe888409f1a622460aba94)  
/ViewMonitor.do (b33277701f00441f37383b2e9b8ce51f)  
/ViewMonitor.do (dd70bba82123b671654f0c6b03f50098)  
/ViewMonitor.do (de6cd669e945c9b6c924bea31c13ca62)  
/ViewMonitor.do (e5b1e63d45ac7a9089ceb27691f7c64c)  
/ViewMonitor.do (eca565d9bd367f0c6d5939cd45cf00a7)  
/ViewMonitor.do (f3711cf0032e486cd77376fcb4ccc1ff)  
/ViewMonitor.do (f9eb02946d5f2536955523d1f7cd8665)  
/ViewMonitor.do (fc6a074c4676998689241adbf2f63c0b)  
/ViewNetAppFilers.do  
/ViewNetAppFilers.do (e25d53aac4030269c11d6a40e94e7d5c)  
  
  
  
  
Password field submitted using GET method  
*****************************************  
  
Vulnerability description  
-----------------------------  
This page contains a form with a password field. This form submits user data using the GET method,   
therefore the contents of the password field will appear in the URL. Sensitive information should not be passed via the URL.   
URLs could be logged or leaked via the Referer header.  
  
Affected items  
----------------------  
  
/TechnicianConfiguration.do   
  
Attack details  
-------------------  
  
form name: "TechnicianConfiguration"  
form action: ""  
password input: "password"  
  
  
  
The impact of this vulnerability  
-----------------------------------  
Possible sensitive information disclosure.  
  
How to fix this vulnerability  
------------------------------------  
  
The password field should be submitted through POST instead of GET.  
  
  
IV. BUSINESS IMPACT  
-------------------------  
DEMO = Security Flaws  
REAL = ¿? ( D'OH )  
  
V SOLUTION  
------------------------  
  
Write Secure Code FOR Security Tools   
  
  
VI. CREDITS  
-------------------------  
  
This vulnerability has been discovered  
by Juan Carlos García(@secnight)  
  
  
VII. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`