Abstract

Arbitrary Javascript code can be injected into https://sso.ub.edu/CAS/index.php/login via the service parameter, which allows an attacker to retrieve some session cookies which allow the attacker to access some UB intranets as the user being attacked. This problem was fixed in the adAS software, but is not in the adAS version hosted by the UB.

Reproduction steps

1. Sign in in order to access any UB service (for instance, https://campusvirtual.ub.edu/)
2. Open the following link: https://sso.ub.edu/CAS/index.php/login?service=%3Cscript%3E%0Aeval(%22ale%22%2B%22rt(document.cookie)%22)%3B%0A%3C%2Fscript%3E
3. You will see the content of, at least, 2 cookies: UbSes3 and UBSess.

What should be done?

The adAS software should be updated to the latest version, as this vulnerability was fixed on November 29, 2018, as mentioned in issue ADAS-1524.

In case the update cannot be done, there should be a temporary fix which consists in sanitizing the service parameter.

Attack scenario

An attacker could send a URL to another UB member which, when opened, would send the previously mentioned session cookies to the attacker.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.