Research & Development
$ #

CVE-2021-37421

Admin portal access restriction bypass via X-Forwarded-For header

5.3 (Medium)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

ManageEngine ADSelfService Plus

< 6104

Krzysztof Andrusiak and Marcin Ogorzelski

ADSelfService Plus allows administrators to restrict Admin portal access based on IP address. An attacker can bypass this security mechanism using "X-Forwarded-For" header set to whitelisted IP address.

  1. Enable "Allow/Restrict Admin portal access based on IP Addresses" in ADSSP's Logon Settings. Set "Restricted IP Addresses" to IP of a machine which will be used in next steps.
  2. Go to /adminLogin.cc - message "You don't have permission to access this page !" should be returned.
  3. Using intercepting proxy add X-Forwarded-For: 127.0.0.1 header to all requests.
  4. Go to /adminLogin.cc again - this time user can log in as administrator, bypassing IP address restriction.
  • 17-03-2021 - Vulnerability reported to vendor
  • 18-03-2021 - First response from vendor
  • 08-05-2021 - Fixed version release
  • 30-08-2021 - Public disclosure
  • 21-02-2022 - PoC release