FYI. We have worked on these issues privately with Bartlomiej via the [email protected] list during last few days and immediately patched all Identity Server instances in production.
Also all the users who have downloaded the affected Identity Server instances are by now personally notified. You can now download the patch from http://wso2.com/products/identity-server/. Please find more details on how to report a security vulnerability related to any WSO2 product from http://wso2.com/security. Thanks & regards, -Prabath On Thu, Nov 20, 2014 at 6:33 PM, Bartlomiej Balcerek < [email protected]> wrote: > Hi, > > Since I've written several emails to individual persons responsible for > WSO2 management and development, and haven't got any response, at last > I've decided to post at maillist: > > During penetration testing our Security Team (WCSS CSIRT) discovered a > serious security vulnerabilities in WSO2 Identity Server version 5.0.0 > (latest available on http://wso2.com/products/identity-server/). > > 1) Identity spoofing/authentication bypass. Attacker need to log in to > WSO2 IS to obtain valid HTTP session. Given this session he/she can > request OpenID assertion from WSO2 IS to _any_ identity > (openid.identity). Thus any authenticated user is able to spoof any > identity he/she requests in order to login to RP as user of his will. > > 2) XSS A - HTML injection > > https:// > <wso2is_address>/openid/%3cIMG%20SRC%3d%22a%22%20onerror=alert(%22XSS%22)%3e > > Note, that filter you use against XSS is easy to evade. > > Countermeasure: > > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet > RULE#1 RULE#2 > > 3) XSS B - HTML injection > > https:// > <wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F% > 2Fspecs.openid.net > %2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://www.wp.pl > &openid.realm=http://www.wp.pl&openid.ns.ax > =http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity= > https://www.wp.pl/test&openid.claimed_id=https://www.wp.pl/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e%27%2f%3e%3c%73%63%72%69%70%74%3eeval( > "ale"%2b"rt(1)")%3c%2f%73%63%72%69%70%74%3e&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL > > Seems there is not any filtering/escaping involved there. > > Countermeasure: > > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet > RULE#1 RULE#2 > > 4) XSS C - JavaScript injection > > https:// > <wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F% > 2Fspecs.openid.net > %2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://www.wp.pl > &openid.realm=http://www.wp.pl&openid.ns.ax > =http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity= > https://www.wp.pl/test&openid.claimed_id=https://www.wp.pl/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e-aaa > "%0a};alert(1);%0aif(0){"&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL > > This is direct JavaScript injection, there is even no need to inject > HTML tags. > > Countermeasure: > > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values > > As for these XSS bugs, this is very likely you are prone in many other > places as well. Our audit was just as quick as possible. Please apply > to above mentioned OWASP guides to rid of this XSS problems. Probably > any other countermeasures will be ineffective, in particular any > custom anti-XSS filters. > > 5) WSO2 IS breaks an important OpenID specification constraint > concerning "nonce". "Nonce" must be used only "once", although WSO2 IS > allows unlimited use of the same nonce value, see: > > http://openid.net/specs/openid-authentication-2_0.html#verify_nonce > > thanks, > > Bartlomiej Balcerek <[email protected]> > Antoni Klajn <[email protected]> > Wroclaw University of Technology, Poland > Wroclaw Centre for Networking and Supercomputing > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +94 71 809 6732 http://blog.facilelogin.com http://blog.api-security.org
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
