lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 25 Mar 2015 16:01:25 +0100
From: Bartlomiej Balcerek <>
Subject: WSO2 Identity Server multiple vulnerabilities


WSO2 Identity Server ( version
4.5.0/4.6.0/5.0.0 is prone to multiple vulnerabilities, including
authentication bypass.


09.10.2014 - Vendor notified
22.11.2014 - Vendor confirmed
04.12.2014 - Patches released
25.03.2015 - Bugtraq disclosure

Vulnerable versions:

IS 4.5.0
IS 4.6.0
IS 5.0.0

Fixed versions:

IS 4.5.0 + WSO2-CARBON-PATCH-4.2.0-0932
IS 4.6.0 + WSO2-CARBON-PATCH-4.2.0-0933
IS 5.0.0 + WSO2-CARBON-PATCH-4.2.0-0930
IS 5.0.0 + Service Pack 1

Vulnerabilities details:

1) Identity spoofing/authentication bypass.  Attacker need to log in to
WSO2 IS to obtain valid HTTP session. Given this session he/she can
request OpenID assertion from WSO2 IS to _any_ identity
(openid.identity). Thus any authenticated user is able to spoof any
identity he/she requests, in order to login to RP as user of his/her will.

2) XSS A - HTML injection


3) XSS B - HTML injection


4) XSS C - JavaScript injection


Bartlomiej Balcerek
Wroclaw Centre for Networking and Supercomputing
Wroclaw University of Technology, Poland
phone: +48 (71) 320-20-79 mail:

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists