Title: ManageEngine ADManager Plus 5.2 Multiple XSS Vulnerabilities
Advisory ID: ZSL-2012-5070
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.02.2012

Summary

ADManager Plus is a simple, easy-to-use Windows Active Directory Management and Reporting Solution that helps AD Administrators and Help Desk Technicians with their day-to-day activities.

Description

ADManager Plus suffers from multiple XSS vulnerabilities when parsing user input to the 'domainName' parameter in the '/jsp/AddDC.jsp' script via GET method and 'operation' parameter in the '/DomainConfig.do' script via POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

Vendor

Zoho Corporation Pvt. Ltd. - http://www.manageengine.com

Affected Version

5.2 (Build 5210)

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache-Coyote/1.1

Vendor Status

[07.02.2012] Vendor has knowledge about the issue, developing patch.

PoC

admanager_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://secunia.com/advisories/47887/
[2] http://cxsecurity.com/issue/WLB-2012020063
[3] http://www.securityfocus.com/bid/51893
[4] http://packetstormsecurity.org/files/109528
[5] http://www.osvdb.org/show/osvdb/78901
[6] http://www.osvdb.org/show/osvdb/78902
[7] http://xforce.iss.net/xforce/xfdb/73039
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1049

Changelog

[07.02.2012] - Initial release
[08.02.2012] - Added reference [4], [5] and [6]
[09.02.2012] - Added reference [7]
[17.02.2012] - Added reference [8]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk