← Advisories

ManageEngine ADManager Plus 5.2 Multiple XSS Vulnerabilities

Medium
Advisory ID
ZSL-2012-5070
Release Date
07 February 2012
Vendor
Zoho Corporation Pvt. Ltd. - http://www.manageengine.com
Affected Version
5.2 (Build 5210)
CVE
CVE-2012-1049
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache-Coyote/1.1
Summary

ADManager Plus is a simple, easy-to-use Windows Active Directory Management and Reporting Solution that helps AD Administrators and Help Desk Technicians with their day-to-day activities.

Description

ADManager Plus suffers from multiple XSS vulnerabilities when parsing user input to the 'domainName' parameter in the '/jsp/AddDC.jsp' script via GET method and 'operation' parameter in the '/DomainConfig.do' script via POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
admanager_xss.txtTXT
Disclosure Timeline
07.02.2012Vendor has knowledge about the issue, developing patch.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://secunia.com/advisories/47887/
[2]http://cxsecurity.com/issue/WLB-2012020063
[3]http://www.securityfocus.com/bid/51893
[4]http://packetstormsecurity.org/files/109528
[5]http://www.osvdb.org/show/osvdb/78901
[6]http://www.osvdb.org/show/osvdb/78902
[7]http://xforce.iss.net/xforce/xfdb/73039
[8]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1049
Changelog
07.02.2012Initial release
08.02.2012Added reference [4], [5] and [6]
09.02.2012Added reference [7]
17.02.2012Added reference [8]