Securin Zero-Days
CVE-2019-20436 - Stored Cross-Site Scripting in WSO2 Product
Description
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect’s URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console and to add and configure claim dialects.
*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics
Proof of Concept (POC):
The POST request dialect variable is vulnerable to stored Cross-Site Scripting (XSS) in the URL, https://localhost:9443/carbon/identity-claim-mgt/add-dialect-finish-ajaxprocessor.jsp
Figure 01: Adding XSS payload to the dialect variable.
Figure 02: Added XSS payload, <script>alert(document.cookie)</script> gets stored.
Figure 03: Edit the service provider information.
Figure 04: Select the XSS payload stored in the claims.
Figure 05: Add Service Provider Claim Dialect URI by selecting the stored URI value from claims.
Figure 06: Injected XSS payload gets executed in the browser after adding claims.
Impact
Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.
Remediations
Download the relevant patch based on the product version.
Code | Product | Version | Patch |
AM | WSO2 API Manager | 2.6.0 | |
IS KM | WSO2 IS as Key Manager | 5.7.0 | |
IS | WSO2 Identity Server | 5.8.0 |
Timeline
