Research & Development
$ #


Admin portal access restriction bypass via X-Forwarded-For header

5.3 (Medium)


ManageEngine ADSelfService Plus

< 6104

Krzysztof Andrusiak and Marcin Ogorzelski

ADSelfService Plus allows administrators to restrict Admin portal access based on IP address. An attacker can bypass this security mechanism using "X-Forwarded-For" header set to whitelisted IP address.

  1. Enable "Allow/Restrict Admin portal access based on IP Addresses" in ADSSP's Logon Settings. Set "Restricted IP Addresses" to IP of a machine which will be used in next steps.
  2. Go to / - message "You don't have permission to access this page !" should be returned.
  3. Using intercepting proxy add X-Forwarded-For: header to all requests.
  4. Go to / again - this time user can log in as administrator, bypassing IP address restriction.
  • 17-03-2021 - Vulnerability reported to vendor
  • 18-03-2021 - First response from vendor
  • 08-05-2021 - Fixed version release
  • 30-08-2021 - Public disclosure
  • 21-02-2022 - PoC release