lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 29 Aug 2019 16:56:46 +0200
From: SBA Research Advisory <>
To: <>
Subject: [FD] [SBA-ADV-20190305-01] CVE-2019-13564: Ping Identity Agentless
 Integration Kit <1.5 Reflected Cross-site Scripting (XSS)

# Ping Identity Agentless Integration Kit Reflected Cross-site Scripting (XSS) #


## Vulnerability Overview ##

Ping Identity Agentless Integration Kit before 1.5 is susceptible to
Reflected Cross-site Scripting at the `/as/authorization.oauth2`
endpoint due to improper encoding of an arbitrarily submitted HTTP
GET parameter name.

* **Identifier**            : SBA-ADV-20190305-01
* **Type of Vulnerability** : Cross-site Scripting
* **Software/Product Name** : [Ping Identity Agentless Integration Kit](
* **Vendor**                : [Ping Identity](
* **Affected Versions**     : < 1.5
* **Fixed in Version**      : 1.5
* **CVE ID**                : CVE-2019-13564
* **CVSSv3 Vector**         : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* **CVSSv3 Base Score**     : 6.1 (Medium)

## Vendor Description ##

> After authenticating the user (via a federated security token or
> authentication adapter), the user will be presented to the protected
> application via an SP adapter. This adapter provides the last-mile
> connection between the federation server (PingFederate) and the
> application, the user will be presented to the application which can
> then create a session and render the application for the
> authenticated user.

Source: <>

## Impact ##

By exploiting the documented vulnerability, an attacker can execute
JavaScript code in a victim's browser within the origin of the target
site. This can be misused, for example, for phishing attacks by
displaying a fake login form in the context of the trusted site via
JavaScript and then sending the victim's credentials to the attacker.

## Vulnerability Description ##

The `/as/authorization.oauth2` endpoint of PingFederate takes several
HTTP GET parameter name-value pairs, which are subsequently rendered
as an HTML form with hidden input fields.


The name of the HTTP parameter is rendered as the `name` attribute of
the corresponding input field, and the HTTP parameter value is rendered
as the `value` attribute. The content of the `value` attribute is HTML-
encoded and therefore not susceptible to XSS. However, the content of
the `name` attribute is written to the HTML document without any
encoding or sanitization.

## Proof of Concept ##

An attacker can exploit this vulnerability by ending the HTML attribute
and element and then inserting, for example, a `script` tag.


The last parameter reads as follows when URL-decoded:


This leads to the following HTML response (shortened for readability):

<form method="post" action="[...]">
    <input type="hidden" name="REF" value="[...]"/>
    <!-- ... -->
    <input type="hidden" name=""><script>alert(1)</script>" value=""/>
    <!-- ... -->

## Recommended Countermeasures ##

We recommend to HTML-encode the parameter name the same way the
parameter value is encoded.

## Timeline ##

* `2019-03-05` Identified the vulnerability in version < 1.5
* `2019-03-25` Contacted the vendor via support
* `2019-05-24` Finding review with Ping Identity and SBA Research
* `2019-07-11` Publication of CVE-2019-13564

## References ##

* [NIST NVD entry of CVE-2019-13564](

## Credits ##

* Thomas Konrad ([SBA Research](

Download attachment "0xFBB8862F58F775B2.asc" of type "application/pgp-keys" (3542 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists