Dear all, it looks like the CAS server is lacking input validation for the 'security_check' parameter, which leads to a cross-site-scripting vulnerability.
By performing a POST request like this: echo 'POST /sso/login?service=http://$SERVER/$APPLICATION/security_check";><script>alert("vulnerable_to_xss")</script>' | nc $SERVER $PORT | grep '<script>' it seems to be possible to inject java-script code as can be seen in the response, containing the following html code inside the form action tag: action="login;jsessionid=2A2EBF7AF213F90375F2713CF0DD0C59?service=http://$SERVER/$APPLICATION/security_check";><script>alert("vulnerable_to_xss")</script>"> I guess the fix would be perform proper encoding of that parameter? Would be great if you could have a look into that. Best regards, Felix Reinel -- ----------------------------------------------------------------------- Felix Reinel | Web & Systems Administrator Office: 3001 ESO/IPP | Tel.: +49-89-32006-171 | Address: Fax.: +49-89-32006-677 | European Southern Observatory Mobile: +49-160-2956856 | Karl-Schwarzschild-Strasse 2 E-Mail: [email protected] | D-85748 Garching bei Muenchen, Germany ----------------------------------------------------------------------- http://www.eso.org
signature.asc
Description: OpenPGP digital signature
