what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Java OpenID Server 1.2.1 XSS / Session Fixation

Java OpenID Server 1.2.1 XSS / Session Fixation
Posted Mar 4, 2014
Authored by Bartlomiej Balcerek

JOIDS (Java OpenID Server) version 1.2.1 suffers from reflected cross site scripting and session fixation vulnerabilities.

tags | exploit, java, vulnerability, xss
SHA-256 | d0111d88c2b72fdcea60d1fd44070e2af28045c390f13e4603277e4f163efcef

Java OpenID Server 1.2.1 XSS / Session Fixation

Change Mirror Download
Hi,

This is a public disclosure (with disarmed Proof of Concept) of
unpatched vulnerabilities in JOIDS (Java OpenID Server).

"JOIDS (Java OpenID Server) is a multi-domain, multi-user OpenID
Provider based on OpenID4Java, Spring Framework, Hibernate, Velocity"
(https://code.google.com/p/openid-server/).

JOIDS version 1.2.1 (current) and probably prior versions are prone to
reflected XSS'es and session fixation vulnerabilities. As Vendor
failed to issue a patch (see below) application may be considered as
vulnerable and not supported any more.

Timeline:

24.11.2013 - Vendor notified
01.12.2013 - Vendor response: "no time to fix"
04.01.2014 - Vendor notified of possible disclosure (no answer)
04.03.2014 - Public disclosure

Vulnerabilities' details are below. Remaining attributes, not relevant
to vulnerabilities, but required by OpenID provider have been removed.

1) XSS in openid.identity parameter. Example:

https://<openid_server>/server?<removed_attributes>&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select"><img%20src%3da%20onerror%3dalert("XSS")><

2) XSS in openid.realm parameter. Example:

https://<openid_server>/server?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.realm=https://<SCRIPT>alert("XSS")</SCRIPT>/&openid.return_to=https://<SCRIPT>alert("XSS")</SCRIPT>&<removed_attributes>

Above bugs can lead to stealing user's session cookie by an attacker or
a Relying Party. Session cookie is a part of a Web page source, so
HttpOnly attribute does not protect cookies from these XSS attacks.

3) Session fixation

It is possible for an attacker to trick legitimate user to click link
like:
https://<openid_server>/home;jsessionid=9FBC9A83AD152F5701C0395A92FF23AB
and wait until the user logs in. After that, the attacker can use this
jsessioid to forge his cookie and get access to OpenID server with
legitimate user's
permissions.

greets,
--
Bartlomiej Balcerek
Wroclaw Centre for Networking and Supercomputing

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close