HTML Injection vulnerability in Manage Engine DesktopCentral UEM solution

INTRODUCTION

eSecForte Technologies Security Researcher – Abhinav Khanna found a HTML Injection vulnerability in the Manage Engine DesktopCentral and it has been assigned CVE-2019-16962 by the MITRE.

Manage Engine DesktopCentral is a Unified Endpoint Management (UEM) solution that helps manage servers, desktops, virtual machines, mobile phones, tablets, Its features includes Patch Management, Software Deployment, Remote Desktop Sharing, IT Asset Management, Desktop Configurations, Service Pack Installation, Active Directory Reports, User Administration, Mobile Device Management and many more.

Description:

HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.

 

 

Impact:

A possible attack scenario is demonstrated below:

  • Attacker discovers injection vulnerability and decides to use an HTML injection attack
  • Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email
  • The user visits the page due to the page being located within a trusted domain
  • The attacker’s injected HTML is rendered and presented to the user asking for a username and password
  • The user enters a username and password, which are both sent to the attackers server

 

 

Recommendation:

  • Your script should filter metacharacters from user input.

 

Steps to Reproduce:

1. Login using valid credentials and go to Custom Reports

Manage Engine DesktopCentral
Manage Engine DesktopCentral
Manage Engine DesktopCentral

2. Create a new customer report as shown in the screenshot. Click Run&Save and intercept the request.

Manage Engine DesktopCentral
Manage Engine DesktopCentral
Manage Engine DesktopCentral

3. After intercepting the request, change the value of requestname parameter from abcd to</p> <h1><s>esecforte</s></h1> <p>.

Manage Engine DesktopCentral

4. Open all custom reports and notice that HTML Injection payload successfully executes.

Manage Engine DesktopCentral
Manage Engine DesktopCentral

Disclosure Process

 

  1. Reported the Vulnerability to the Vendor Security or PSIRT Team.
  2. Acknowledged confirmed from the Vendor that vulnerability exist.
  3. CVE has been filed in NVD.
  4. Vendor confirm that the vulnerability is fixed or a latest version, patch is released.
  5. Vulnerability disclosed to the public.

 

 

Reference                                   

https://www.manageengine.com/products/desktop-central/html-injection-vulnerability.html

https://www.acunetix.com/vulnerabilities/web/html-injection/

 

Has the vendor confirmed or acknowledged the vulnerability?

Yes                        

Discoverer                                                                                                    

Abhinav Khanna from eSec Forte Technologies Pvt Ltd