Feel free to send it along and we'll take a look. Cheers, Scott
On Fri, Feb 26, 2010 at 9:55 AM, Felix Reinel <[email protected]> wrote: > Hi Scott, > > If you think you have found a security vulnerability, please contact > > Jasig at this address: > > http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group > Alright, they're on CC now. > > > > You *should* provide an appropriate level of detail: > > * CAS Version > > * Any customizations, etc. > The version tested was the latest CAS 3 version. I see that there is a > custom JSP page in the installation I was testing with. > > > > The default JSP page for CAS uses the Spring Form tag which appears to > > properly parse the action (at least in my testing in Firefox using the > > URL you provided). > If you can confirm this does not work with the default JSP, it's not > really a security problem of CAS itself indeed. I think I have to say > sorry for the noise. > > However, it would be nice if somebody of you could have a quick look in > a possible fix for this custom JSP I have here offline as I'm not really > deep into JSP, just send me an email in case... > > Thanks in advance, > Felix > > > > > > On Fri, Feb 26, 2010 at 4:28 AM, Felix Reinel <[email protected] > > <mailto:[email protected]>> wrote: > > > > Dear all, > > > > it looks like the CAS server is lacking input validation for the > > 'security_check' parameter, which leads to a cross-site-scripting > > vulnerability. > > > > By performing a POST request like this: > > echo 'POST > > /sso/login?service=http:// > $SERVER/$APPLICATION/security_check"><script>alert("vulnerable_to_xss")</script>' > > | nc $SERVER $PORT | grep '<script>' > > > > it seems to be possible to inject java-script code as can be seen > > in the > > response, containing the following html code inside the form > > action tag: > > > action="login;jsessionid=2A2EBF7AF213F90375F2713CF0DD0C59?service=http:// > $SERVER/$APPLICATION/security_check"><script>alert("vulnerable_to_xss")</script>"> > > > > I guess the fix would be perform proper encoding of that parameter? > > Would be great if you could have a look into that. > > > > Best regards, > > Felix Reinel > > > > -- > ----------------------------------------------------------------------- > Felix Reinel | Web & Systems Administrator > Office: 3001 ESO/IPP | > Tel.: +49-89-32006-171 | Address: > Fax.: +49-89-32006-677 | European Southern Observatory > Mobile: +49-160-2956856 | Karl-Schwarzschild-Strasse 2 > E-Mail: [email protected] | D-85748 Garching bei Muenchen, Germany > ----------------------------------------------------------------------- > http://www.eso.org > > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
