Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CSNC-2016-001 - XSS in OpenAM

From: Alexandre Herzog <Alexandre.Herzog () csnc ch>
Date: Tue, 23 Feb 2016 13:42:20 +0000
#############################################################

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/en/downloads/advisories.html

#############################################################

#

# CSNC ID:          CSNC-2016-001

# Product:          OpenAM [1]

# Vendor:           ForgeRock

# Subject:           Cross-Site Scripting - XSS

# Risk:                  High

# Effect:              Remotely exploitable

# Author:            Stephan Sekula (stephan.sekula () csnc de)

# Date:                 February 23rd 2016

#

#############################################################

 

 

Introduction:

-------------

OpenAM provides core identity services to simplify the implementation of 

transparent single sign-on (SSO) as a security component in a network 

infrastructure. OpenAM provides the foundation for integrating diverse 

web applications that might typically operate against a disparate set of 

identity repositories and are hosted on a variety of platforms such as 

web and application servers. [1] 

 

Compass Security discovered a web application security flaw in the OpenAM

application which allows an attacker to manipulate the resulting website.

This allows, for instance, stealing of user sessions, attacking the user's

browser or redirecting the user to a Phishing website. Since it is the

victim who needs to visit the malicious link, this attack is possible for

unauthenticated attackers who do not have access to the affected websites.

 

 

Affected Versions:

------------------

The following OpenAM versions are vulnerable:

- 9-9.5.5

- 10.0.0-10.0.2

- 10.1.0-Xpress

- 11.0.0-11.0.3

- 12.0.0-12.0.2

 

OpenAM version 13.0.0 is not vulnerable.

 

 

Patches:

--------

OpenAM released patches for each affected version as part of OpenAM

Security Advisory #201601 [2].

 

 

Technical Description:

----------------------

OpenAM provides a blacklist mechanism that allows specifying dangerous 

input. If user input is part of this blacklist, the user should be 

redirected to an error page. However, this mechanism is not implemented 

in page exportmetadata.jsp. Exploiting the vulnerability will lead to 

so-called Cross-Site Scripting (XSS), allowing the execution of 

JavaScript in the context of the victim and thus the impersonation of 

logged-in OpenAM users:

https://<URL>/.../exportmetadata.jsp?entityid=sp&realm="<script>alert(0)</sc
ript>

 

Response:

ERROR : Unable to read configuration of component "SAML2" for realm

""<script>alert(0)</script>".

 

Furthermore, a blacklist approach bears the risk of missing malicious input.

 

 

Milestones:

-----------

2015-12-16: Vulnerability discovered

2016-01-04: Vendor notified

2016-02-05: Vendor provided patched version

2016-02-23: Public disclosure

 

 

References:

-----------

[1] http://openam.forgerock.org/

[2] https://forgerock.org/2016/02/openam-security-advisory-201601/

Attachment: smime.p7s
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: