lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+Ma4Js6yLKZhSsCvmf_8FMg6ovbv62XL5wWxROyVD4QkoH4Rw@mail.gmail.com>
Date: Fri, 21 Feb 2020 13:45:51 -0700
From: aaron bishop <abishop@...ux.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2020-5497 - MITREid Connect XSS

MITREid Connect OpenID-Connect-Java-Spring-Server
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server> version
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is
included in *topbar.tag* and *header.tag* without being sanitized.  A user
can set their name to a value like:

Test</script><script>alert(1)</script>

Which will be included in JSON used by a JavaScript function in *header.tag*
:

// get the info of the current user, if available (null otherwise)
>     function getUserInfo() {
>         return {"sub":"12318767","name":"
> *Test</script><script>alert(1)</script>*
> Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":"
> test@...t.com","email_verified":true};}


A name such as:

Test<script>alert(1)</script>

would also work; it is included in the page when menus are created by
*topbar.tag*:

<!-- use a simplified user button system when collapsed -->
> <ul class="nav hidden-desktop">
> <li><a href="manage/#user/profile">*Test<script>alert(1)</script>*
> Test</a></li>
> <li class="divider"></li>
> <li><a href="" class="logoutLink"><i class="icon-remove"></i> Log
> out</a></li>


This issue has been reported on Github
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521>
with
patches pending.

A write up is available at:
https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ