Page MenuHomeVulnz

XSS vulnerability in sso.ub.edu
VerifiedPublic

Description

Abstract

Arbitrary Javascript code can be injected into https://sso.ub.edu/CAS/index.php/login via the service parameter, which allows an attacker to retrieve some session cookies which allow the attacker to access some UB intranets as the user being attacked. This problem was fixed in the adAS software, but is not in the adAS version hosted by the UB.

Reproduction steps

  1. Sign in in order to access any UB service (for instance, https://campusvirtual.ub.edu/)
  2. Open the following link: https://sso.ub.edu/CAS/index.php/login?service=%3Cscript%3E%0Aeval(%22ale%22%2B%22rt(document.cookie)%22)%3B%0A%3C%2Fscript%3E
  3. You will see the content of, at least, 2 cookies: UbSes3 and UBSess.

What should be done?

The adAS software should be updated to the latest version, as this vulnerability was fixed on November 29, 2018, as mentioned in issue ADAS-1524.

In case the update cannot be done, there should be a temporary fix which consists in sanitizing the service parameter.

Attack scenario

An attacker could send a URL to another UB member which, when opened, would send the previously mentioned session cookies to the attacker.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Details

Reported
Jan 13 2020, 4:13 PM
Deadline
90

Event Timeline

avm99963 triaged this task as Priority-1 priority.Jan 13 2020, 4:16 PM
avm99963 created this task.

This vulnerability seems to be fixed from my end since a couple of days ago. Therefore, I'm marking it as fixed.

I will wait for the vendor's confirmation before marking it as verified or publishing it.

avm99963 closed this task as Fixed.Feb 18 2020, 1:07 AM
Douglasbot changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Apr 14 2020, 5:13 AM

The deadline has been exceeded -- automatically publishing vulnerability report.

avm99963 changed the task status from Fixed to Verified.Apr 14 2020, 10:19 AM

Marking as verified because UB's SAE confirmed that the vulnerability was fixed on Feb 21 2020, 12:14.