Admin portal access restriction bypass via X-Forwarded-For header
ManageEngine ADSelfService Plus
Krzysztof Andrusiak and Marcin Ogorzelski
ADSelfService Plus allows administrators to restrict Admin portal access based on IP address. An attacker can bypass this security mechanism using "X-Forwarded-For" header set to whitelisted IP address.
- Enable "Allow/Restrict Admin portal access based on IP Addresses" in ADSSP's Logon Settings. Set "Restricted IP Addresses" to IP of a machine which will be used in next steps.
- Go to
/adminLogin.cc- message "You don't have permission to access this page !" should be returned.
- Using intercepting proxy add
X-Forwarded-For: 127.0.0.1header to all requests.
- Go to
/adminLogin.ccagain - this time user can log in as administrator, bypassing IP address restriction.
- 17-03-2021 - Vulnerability reported to vendor
- 18-03-2021 - First response from vendor
- 08-05-2021 - Fixed version release
- 30-08-2021 - Public disclosure
- 21-02-2022 - PoC release