lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 04 Mar 2014 11:59:22 +0100
From: Bartlomiej Balcerek <Bartlomiej.Balcerek@....edu.pl>
To: bugtraq@...urityfocus.com
Subject: JOIDS (Java OpenID Server) multiple vulnerabilities

Hi,

This is a public disclosure (with disarmed Proof of Concept) of
unpatched vulnerabilities in JOIDS (Java OpenID Server).

"JOIDS (Java OpenID Server) is a multi-domain, multi-user OpenID
Provider based on OpenID4Java, Spring Framework, Hibernate, Velocity"
(https://code.google.com/p/openid-server/).

JOIDS version 1.2.1 (current) and probably prior versions are prone to
reflected XSS'es and session fixation vulnerabilities. As Vendor
failed to issue a patch (see below) application may be considered as
vulnerable and not supported any more.

Timeline:

24.11.2013 - Vendor notified
01.12.2013 - Vendor response: "no time to fix"
04.01.2014 - Vendor notified of possible disclosure (no answer)
04.03.2014 - Public disclosure

Vulnerabilities' details are below. Remaining attributes, not relevant
to vulnerabilities, but required by OpenID provider have been removed.

1) XSS in openid.identity parameter. Example:

https://<openid_server>/server?<removed_attributes>&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select"><img%20src%3da%20onerror%3dalert("XSS")><

2) XSS in openid.realm parameter. Example:

https://<openid_server>/server?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.realm=https://<SCRIPT>alert("XSS")</SCRIPT>/&openid.return_to=https://<SCRIPT>alert("XSS")</SCRIPT>&<removed_attributes>

Above bugs can lead to stealing user's session cookie by an attacker or
a Relying Party. Session cookie is a part of a Web page source, so
HttpOnly attribute does not protect cookies from these XSS attacks.

3) Session fixation

It is possible for an attacker to trick legitimate user to click link
like:
https://<openid_server>/home;jsessionid=9FBC9A83AD152F5701C0395A92FF23AB
and wait until the user logs in. After that, the attacker can use this
jsessioid to forge his cookie and get access to OpenID server with
legitimate user's
permissions.

greets,
-- 
Bartlomiej Balcerek
Wroclaw Centre for Networking and Supercomputing

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ