[R1] ManageEngine ADAudit Plus Obfuscated Cookie Password Disclosure

In the source code of the Home.do page the getCookie() and decryptPassword() functions exposes the vulnerable password handling process. Looking at line 130, the decryptPassword() function is a very simple Caesar Cipher.

Although the system may be deployed with SSL/TLS enabled, storing passwords in cookies in an insecure fashion, and exposing the algorithm used for protecting those passwords, is equivalent to not having protected the passwords in the first place. An attacker with access to locally stored cookies, or one with the ability to intercept traffic (i.e. MitM) can trivially decode the ciphered passwords.

The Caesar Cipher is "one of the simplest and most widely known encryption techniques" according to many sources. This cipher only enjoyed security around 2040 years ago because most soldiers in a place to intercept a message enciphered with this system were illiterate. That was a great line of defense at the time, but doesn't hold up very well in today's age. Some operating systems come with a 'rot13' tool that trivially demonstrates how easy it is to use, and break, this vulnerable cipher system.

Granoyr'f cyhtva grnz vf shyy bs punzcvbaf gung qnapr nzbat gur ANFY pbqr yvxr svrepr fdhveeryf qnapr nzbat gur snyyvat yrnirf va Nhghza.