Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Java OpenID Server 1.2.1 XSS / Session Fixation

🗓️ 04 Mar 2014 00:00:00Reported by Bartlomiej BalcerekType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

Java OpenID Server 1.2.1 vulnerabilities exposed

Code
`Hi,  
  
This is a public disclosure (with disarmed Proof of Concept) of  
unpatched vulnerabilities in JOIDS (Java OpenID Server).  
  
"JOIDS (Java OpenID Server) is a multi-domain, multi-user OpenID  
Provider based on OpenID4Java, Spring Framework, Hibernate, Velocity"  
(https://code.google.com/p/openid-server/).  
  
JOIDS version 1.2.1 (current) and probably prior versions are prone to  
reflected XSS'es and session fixation vulnerabilities. As Vendor  
failed to issue a patch (see below) application may be considered as  
vulnerable and not supported any more.  
  
Timeline:  
  
24.11.2013 - Vendor notified  
01.12.2013 - Vendor response: "no time to fix"  
04.01.2014 - Vendor notified of possible disclosure (no answer)  
04.03.2014 - Public disclosure  
  
Vulnerabilities' details are below. Remaining attributes, not relevant  
to vulnerabilities, but required by OpenID provider have been removed.  
  
1) XSS in openid.identity parameter. Example:  
  
https://<openid_server>/server?<removed_attributes>&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select"><img%20src%3da%20onerror%3dalert("XSS")><  
  
2) XSS in openid.realm parameter. Example:  
  
https://<openid_server>/server?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.realm=https://<SCRIPT>alert("XSS")</SCRIPT>/&openid.return_to=https://<SCRIPT>alert("XSS")</SCRIPT>&<removed_attributes>  
  
Above bugs can lead to stealing user's session cookie by an attacker or  
a Relying Party. Session cookie is a part of a Web page source, so  
HttpOnly attribute does not protect cookies from these XSS attacks.  
  
3) Session fixation  
  
It is possible for an attacker to trick legitimate user to click link  
like:  
https://<openid_server>/home;jsessionid=9FBC9A83AD152F5701C0395A92FF23AB  
and wait until the user logs in. After that, the attacker can use this  
jsessioid to forge his cookie and get access to OpenID server with  
legitimate user's  
permissions.  
  
greets,  
--   
Bartlomiej Balcerek  
Wroclaw Centre for Networking and Supercomputing  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Mar 2014 00:00Current
0.2Low risk
Vulners AI Score0.2
java openid server" "xss" "session fixation" "vulnerabilities" "public disclosure" "security patch" "cookie theft" "session hijacking" "openid provider
33