ADManager Plus contains a user enumeration without authentication vulnerability, which was reported by Patrick, a vulnerability researcher. This article explains the steps you can take to prevent malicious users from exploiting this vulnerability in your environment.

What’s the issue?

The Employee Search feature in ADManager Plus serves as a corporate directory search for looking up information regarding other users and contacts. As users don't have to log in to the product to access this feature, even unauthenticated users could use it to find the personally identifiable information of other users.

Who’s affected?

All ADManager Plus versions before 7061 have the Employee Search feature enabled by default.

What’s the severity level of the vulnerability?

The severity level of this vulnerability is medium.

How can you fix this vulnerability?

Based on your organization's security policies and specific needs, you can make the following modifications to this feature's functions:

• Limit the scope of Employee Search to only specific domains or OUs.

• Specify which user or contact details are displayed in the search results.

• Specify which attributes or details can be used to locate users or contacts.

• Disable the Employee Search option completely.

Steps to fix this vulnerability:

1. Log in to the ADManager Plus console, and navigate to the Admin tab.

2. Click Configure AD Search listed under Employee Preferences.

• Disable Employee Search: If you wish to disable this search option completely, uncheck the Show Employee Search in login page. option. Note that doing so will hide this option on the login page.

• Limit the scope of Employee Search: You can restrict the search to specific domains and OUs. To do this, select the domain and its corresponding OUs from the Selected Domain field.

• Limit the scope by specifying attributes for locating users or contacts: Uncheck the respective attributes in the Users and Contacts tabs listed under Available Columns in Display Columns, so that they will not be displayed in the search results.

• Specify the attributes that can be used to search for users or contacts: Select the desired attributes in the Users and Contacts tabs, listed under Available Columns in Search Criteria.

3. Click Save Settings to complete the AD search configuration.