Last active
November 3, 2019 18:00
-
-
Save aliceicl/e32fb4a17277c7db9e0256185ac03dae to your computer and use it in GitHub Desktop.
Findings for CVE-2019-18411
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Product Description] | |
Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are | |
attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, | |
unintentionally. As a consequence, attackers could use the reset password function and control the system to send the | |
authentication code back to the channel that the attackers own. | |
------------------------------------------ | |
[Vulnerability Type] | |
Cross Site Request Forgery (CSRF) | |
------------------------------------------ | |
[Vendor of Product] | |
ManageEngine | |
------------------------------------------ | |
[Affected Product Code Base] | |
ADSelfService Plus - Build No.5803 | |
------------------------------------------ | |
[Affected Component] | |
ADSelfService Plus; users' profile information page | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[CVE Impact Other] | |
CSRF over the function that could manipulate profile information in order to do malicious password reset | |
------------------------------------------ | |
[Attack Vectors] | |
General CSRF; web application | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[PoC] | |
CSRF protection mechanism did not work on /ServletAPI/selfservice/updateLayoutDetails. | |
1) The Cookie “adscsrf” was not necessary, we could modify as we want. | |
2) The request parameter “adscsrf” was not necessary, we could remove it. | |
------------------------------------------ | |
[Discoverer] | |
Pornsook Kornkitichai | |
https://incognitolab.com | |
------------------------------------------ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment