lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <30982e59a05f4393a63f84dbb54691b9@Wapiti.compass-security.com>
Date: Tue, 23 Feb 2016 13:42:20 +0000
From: Alexandre Herzog <Alexandre.Herzog@...c.ch>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CSNC-2016-001 - XSS in OpenAM

#############################################################

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/en/downloads/advisories.html

#############################################################

#

# CSNC ID:          CSNC-2016-001

# Product:          OpenAM [1]

# Vendor:           ForgeRock

# Subject:           Cross-Site Scripting - XSS

# Risk:                  High

# Effect:              Remotely exploitable

# Author:            Stephan Sekula (stephan.sekula@...c.de)

# Date:                 February 23rd 2016

#

#############################################################

 

 

Introduction:

-------------

OpenAM provides core identity services to simplify the implementation of 

transparent single sign-on (SSO) as a security component in a network 

infrastructure. OpenAM provides the foundation for integrating diverse 

web applications that might typically operate against a disparate set of 

identity repositories and are hosted on a variety of platforms such as 

web and application servers. [1] 

 

Compass Security discovered a web application security flaw in the OpenAM

application which allows an attacker to manipulate the resulting website.

This allows, for instance, stealing of user sessions, attacking the user's

browser or redirecting the user to a Phishing website. Since it is the

victim who needs to visit the malicious link, this attack is possible for

unauthenticated attackers who do not have access to the affected websites.

 

 

Affected Versions:

------------------

The following OpenAM versions are vulnerable:

- 9-9.5.5

- 10.0.0-10.0.2

- 10.1.0-Xpress

- 11.0.0-11.0.3

- 12.0.0-12.0.2

 

OpenAM version 13.0.0 is not vulnerable.

 

 

Patches:

--------

OpenAM released patches for each affected version as part of OpenAM

Security Advisory #201601 [2].

 

 

Technical Description:

----------------------

OpenAM provides a blacklist mechanism that allows specifying dangerous 

input. If user input is part of this blacklist, the user should be 

redirected to an error page. However, this mechanism is not implemented 

in page exportmetadata.jsp. Exploiting the vulnerability will lead to 

so-called Cross-Site Scripting (XSS), allowing the execution of 

JavaScript in the context of the victim and thus the impersonation of 

logged-in OpenAM users:

https://<URL>/.../exportmetadata.jsp?entityid=sp&realm="<script>alert(0)</sc
ript>

 

Response:

ERROR : Unable to read configuration of component "SAML2" for realm

""<script>alert(0)</script>".

 

Furthermore, a blacklist approach bears the risk of missing malicious input.

 

 

Milestones:

-----------

2015-12-16: Vulnerability discovered

2016-01-04: Vendor notified

2016-02-05: Vendor provided patched version

2016-02-23: Public disclosure

 

 

References:

-----------

[1] http://openam.forgerock.org/

[2] https://forgerock.org/2016/02/openam-security-advisory-201601/


Download attachment "smime.p7s" of type "application/pkcs7-signature" (5735 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ