ManageEngine ServiceDesk Plus 8.0 Multiple Stored XSS Vulnerabilities
Title: ManageEngine ServiceDesk Plus 8.0 Multiple Stored XSS Vulnerabilities
Advisory ID: ZSL-2011-5039
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 23.08.2011
Apache-Coyote/1.1
Java Servlet 2.4
Tomcat-5.0.28/JBoss-3.2.6
[26.07.2011] Vendor contacted.
[26.07.2011] Vendor replies asking more details.
[26.07.2011] Sent vulnerability details to vendor.
[26.07.2011] Vendor confirms XSS issues assigning Issue ID: SD-39838.
[01.08.2011] Requested status update from vendor.
[02.08.2011] Vendor replies.
[03.08.2011] Working with the vendor.
[08.08.2011] Asked vendor for scheduled patch release date.
[08.08.2011] Vendor replies.
[09.08.2011] Working with the vendor.
[16.08.2011] Vendor releases build 8015 to address these issues.
[23.08.2011] Public security advisory released.
[2] http://www.exploit-db.com/exploits/17713/
[3] http://packetstormsecurity.org/files/104365
[4] http://securityreason.com/wlb_show/WLB-2011080162
[5] http://secunia.com/advisories/45675/
[6] http://secunia.com/advisories/45390/
[7] http://osvdb.org/show/osvdb/74713
[8] http://osvdb.org/show/osvdb/74714
[9] http://osvdb.org/show/osvdb/74715
[10] http://osvdb.org/show/osvdb/74716
[11] http://osvdb.org/show/osvdb/74717
[12] http://osvdb.org/show/osvdb/74718
[13] http://osvdb.org/show/osvdb/74719
[14] http://osvdb.org/show/osvdb/74720
[15] http://xforce.iss.net/xforce/xfdb/69383
[24.08.2011] - Added reference [4], [5] and [6]
[25.08.2011] - Added reference [7], [8], [9], [10], [11], [12], [13], [14] and [15]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2011-5039
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 23.08.2011
Summary
ServiceDesk Plus integrates your help desk requests and assets to help you manage your IT effectively. It helps you implement ITIL best practices and troubleshoot IT service requests faster. ServiceDesk Plus is a highly customizable, easy-to-implement help desk software.Description
The application suffers from multiple stored XSS vulnerabilities. Input thru several parameters is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site. Also, couple of HTTP header elements are vulnerable to XSS.Vendor
Zoho Corporation Pvt. Ltd. - http://www.manageengine.comAffected Version
8.0.0 Build 8013 (Enterprise)Tested On
Microsoft Windows XP Professional SP3 (English)Apache-Coyote/1.1
Java Servlet 2.4
Tomcat-5.0.28/JBoss-3.2.6
Vendor Status
[23.07.2011] Vulnerabilities discovered.[26.07.2011] Vendor contacted.
[26.07.2011] Vendor replies asking more details.
[26.07.2011] Sent vulnerability details to vendor.
[26.07.2011] Vendor confirms XSS issues assigning Issue ID: SD-39838.
[01.08.2011] Requested status update from vendor.
[02.08.2011] Vendor replies.
[03.08.2011] Working with the vendor.
[08.08.2011] Asked vendor for scheduled patch release date.
[08.08.2011] Vendor replies.
[09.08.2011] Working with the vendor.
[16.08.2011] Vendor releases build 8015 to address these issues.
[23.08.2011] Public security advisory released.
PoC
servicedesk_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.manageengine.com/products/service-desk/readme-8.0.html#8.7[2] http://www.exploit-db.com/exploits/17713/
[3] http://packetstormsecurity.org/files/104365
[4] http://securityreason.com/wlb_show/WLB-2011080162
[5] http://secunia.com/advisories/45675/
[6] http://secunia.com/advisories/45390/
[7] http://osvdb.org/show/osvdb/74713
[8] http://osvdb.org/show/osvdb/74714
[9] http://osvdb.org/show/osvdb/74715
[10] http://osvdb.org/show/osvdb/74716
[11] http://osvdb.org/show/osvdb/74717
[12] http://osvdb.org/show/osvdb/74718
[13] http://osvdb.org/show/osvdb/74719
[14] http://osvdb.org/show/osvdb/74720
[15] http://xforce.iss.net/xforce/xfdb/69383
Changelog
[23.08.2011] - Initial release[24.08.2011] - Added reference [4], [5] and [6]
[25.08.2011] - Added reference [7], [8], [9], [10], [11], [12], [13], [14] and [15]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
