Hi,

This is a public disclosure (with disarmed Proof of Concept) of
unpatched vulnerabilities in JOIDS (Java OpenID Server).

"JOIDS (Java OpenID Server) is a multi-domain, multi-user OpenID
Provider based on OpenID4Java, Spring Framework, Hibernate, Velocity"
(https://code.google.com/p/openid-server/).

JOIDS version 1.2.1 (current) and probably prior versions are prone to
reflected XSS'es and session fixation vulnerabilities. As Vendor
failed to issue a patch (see below) application may be considered as
vulnerable and not supported any more.

Timeline:

24.11.2013 - Vendor notified
01.12.2013 - Vendor response: "no time to fix"
04.01.2014 - Vendor notified of possible disclosure (no answer)
04.03.2014 - Public disclosure

Vulnerabilities' details are below. Remaining attributes, not relevant
to vulnerabilities, but required by OpenID provider have been removed.

1) XSS in openid.identity parameter. Example:

https://<openid_server>/server?<removed_attributes>&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select"><img%20src%3da%20onerror%3dalert("XSS")><

2) XSS in openid.realm parameter. Example:

https://<openid_server>/server?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.realm=https://<SCRIPT>alert("XSS")</SCRIPT>/&openid.return_to=https://<SCRIPT>alert("XSS")</SCRIPT>&<removed_attributes>

Above bugs can lead to stealing user's session cookie by an attacker or
a Relying Party. Session cookie is a part of a Web page source, so
HttpOnly attribute does not protect cookies from these XSS attacks.

3) Session fixation

It is possible for an attacker to trick legitimate user to click link
like:
https://<openid_server>/home;jsessionid=9FBC9A83AD152F5701C0395A92FF23AB
and wait until the user logs in. After that, the attacker can use this
jsessioid to forge his cookie and get access to OpenID server with
legitimate user's
permissions.

greets,
-- 
Bartlomiej Balcerek
Wroclaw Centre for Networking and Supercomputing