Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Cross-Site Scripting Vuln in Zoho ManageEngine ADSelfServicePlus
From: James Webb <james.webb () verapath com>
Date: Thu, 17 Nov 2011 12:46:37 -0500

Vulnerability ID: VRPTH-2011-001
Reference: http://jameswebb.me/vulns/vrpth-2011-001.txt

Vulnerability Summary
Non-persistent XSS  in Zoho ManageEngine ADSelfService Plus

Test Environment
Windows 2008RC2 fully patched.
ManageEngine ADSelfServicePlus version 4.5 Build 4521 installed.
Integrated Into TestDomain

Technical Details
Corporate Directory Search feature in ManageEngine ADSelfServicePlus
version 4.5 Build 4521 is susceptible to non-persistent XSS attacks.
These vulnerabilities are manifest by the
ability for attacker to terminate javascript variable declarations,
escape encapsulation, and append arbitrary javascript code.
ADSelfService Plus is a password management application for Active
Directory environments.

Proof of Concept
Double-Quote String Termination
HTTP Request =

Response Source View
<script language="javascript">
var searchValue = "';alert(XSS)//\"";

Single-Quote String Termination
HTTP Request=

Root Cause Analysis
Input is not being escaped/filtered prior to javascript variable assignment.

Fix/Work Around
Not aware of patch/fix. Contact Vendor.

Coordination History
09/28/11 - Contacted AdSelfServicePro Team with Vuln. Details
10/07/11 - Requested Update
10/08/11 - Received Response: Advised issues will be handled in future release.
10/27/11 - Requested Update:  Inquired if newer posted builds fixed issue.
11/03/11 - Received Response: Newer build did not address; Indicated
still researching..
11/17/11 - Released Advisory

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Cross-Site Scripting Vuln in Zoho ManageEngine ADSelfServicePlus James Webb (Nov 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]