Cross-Site Scripting Vuln in Zoho ManageEngine ADSelfServicePlus Nov 17 2011 05:40PM
James Webb (james webb verapath com)
Vulnerability ID: VRPTH-2011-001
Reference: http://jameswebb.me/vulns/vrpth-2011-001.txt

Vulnerability Summary
Non-persistent XSS in Zoho ManageEngine ADSelfService Plus

Test Environment
Windows 2008RC2 fully patched.
ManageEngine ADSelfServicePlus version 4.5 Build 4521 installed.
Integrated Into TestDomain

Technical Details
Corporate Directory Search feature in ManageEngine ADSelfServicePlus
version 4.5 Build 4521 is susceptible to
non-persistent XSS attacks. These vulnerabilities are manifest by the
ability for attacker to terminate
javascript variable declarations, escape encapsulation, and append
arbitrary javascript code.
ADSelfService Plus is a password management application for Active
Directory environments.

Proof of Concept
Double-Quote String Termination
HTTP Request =

Response Source View
<script language="javascript">
var searchValue = "';alert(XSS)//\"";

Single-Quote String Termination
HTTP Request=

Root Cause Analysis
Input is not being escaped/filtered prior to javascript variable assignment.

Fix/Work Around
Not aware of patch/fix. Contact Vendor.

Coordination History
09/28/11 - Contacted AdSelfServicePro Team with Vuln. Details
10/07/11 - Requested Update
10/08/11 - Received Response: Advised issues will be handled in future release.
10/27/11 - Requested Update:  Inquired if newer posted builds fixed issue.
11/03/11 - Received Response: Newer build did not address; Indicated
still researching..
11/17/11 - Released Advisory

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus