ADSelfservice Plus 5.1 Cross Site Scripting

Type packetstorm
Reporter Blessen Thomas
Modified 2015-01-03T00:00:00


Security Advisory :   
Exploit Title:   
Manageengine ADSelfservice Plus Reflected Cross Site Scripting (XSS)  
Google dork : N/A  
Exploit Author: Blessen Thomas  
Date : 03-01-2015  
Vendor Homepage :   
Software Link : N/A  
Version :  
ADSelfservice Plus version 5.1 Build :5102 , Evaluation version –Trial  
Tested on :  
Windows XP SP2 -Host machine ,Windows server 2003 as Active directory  
Type of Application : Web application  
Release mode : Coordinated disclosure  
Vulnerability Description :   
It is observed that the Manageengine ADSelfservice Plus is vulnerable to reflected cross site scripting(non-persistent/temporary) cross site scripting attacks in the “name” parameter and  
the unfiltered input is reflected to the user   
Proof of concept :  
Request :  
POST / HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: JSESSIONIDADSSP=A4144A81CF9702C53035062DBA9CD0F3; JSESSIONIDSSO=D8EE830B96B0218E4548BA3B8ADD09DB; adsspcsrf=79cf454e-9b3f-462b-bb12-03b70cd2f469  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 161  
Parameter affected:  
Payload (Exploit Code):  
Vulnerable link:   
Tools used :  
Mozilla firefox browser v28.0 , Burp proxy free edition v1.5  
## Workaround ##  
Update to newer Version 5.2 Build 5202   
## TimeLine ##  
13th Apr 2014 : Bug Discovered  
15th Apr 2014 : vendor was notified by e-mail  
16th Apr 2014 : Vendor response received  
13th May 2014 : Vendor acknowledged and released a patch  
22nd May 2014 : Mitre Team provided CVE id  
03rd Jan 2015 : Public Disclosure