mailing list archives
Cross-Site Scripting Vuln in Zoho ManageEngine ADSelfServicePlus
From: James Webb <james.webb () verapath com>
Date: Thu, 17 Nov 2011 12:46:37 -0500
Vulnerability ID: VRPTH-2011-001
Non-persistent XSS in Zoho ManageEngine ADSelfService Plus
Windows 2008RC2 fully patched.
ManageEngine ADSelfServicePlus version 4.5 Build 4521 installed.
Integrated Into TestDomain
Corporate Directory Search feature in ManageEngine ADSelfServicePlus
version 4.5 Build 4521 is susceptible to non-persistent XSS attacks.
These vulnerabilities are manifest by the
ADSelfService Plus is a password management application for Active
Proof of Concept
Double-Quote String Termination
HTTP Request =
Response Source View
var searchValue = "';alert(XSS)//\"";
Single-Quote String Termination
Root Cause Analysis
Not aware of patch/fix. Contact Vendor.
09/28/11 - Contacted AdSelfServicePro Team with Vuln. Details
10/07/11 - Requested Update
10/08/11 - Received Response: Advised issues will be handled in future release.
10/27/11 - Requested Update: Inquired if newer posted builds fixed issue.
11/03/11 - Received Response: Newer build did not address; Indicated
11/17/11 - Released Advisory
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Cross-Site Scripting Vuln in Zoho ManageEngine ADSelfServicePlus James Webb (Nov 18)