Client-side open redirect arises when an application incorporates user-controllable data into the target of a redirection in an unsafe way. XSS payload is allowed to redirect the user to the external domain in the product WSO2 Identity Server version 5.9.0.
Securin Zero-Days
CVE-2020-14446 – Open Redirect in WSO2 Product
Severity:Medium
Vendor
WSO2
Affected Product
WSO2 IS as Key Manager 5.9.0 or earlier, WSO2 Identity Server 5.9.0 or earlier
CVE
CVE-2020-14446
Securin ID
2020-CSW-06-1044
Status
Fixed
Date
February 10, 2020
Description
Proof of Concept (POC):
The following vulnerability was tested on WSO2 Identity Server Manager version 5.9.0 Product.
Issue 01: Client-side URL Redirection.
Figure 01: Navigating to the Policy Administration and Clicking the Add New Entitlement Policy Link.
Figure 02: Clicking the Write Policy in XML opens the URL and Editor.
Figure 03: Entering the domain http://evil.com in the variable CallbackURL.
Figure 04: Entered domain saved in the DOM object and reflected in the Response body.
Figure 05: Forwarding the request and clicking the Cancel button triggers the URL navigation script and redirects to the custom entered domain.
Impact
An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.
Remediations
Download and apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-identity-framework/pull/2848
Timeline
Jan 31,2020: Discovered in WSO2 Identity Server Manager version 5.9.0
Feb 04, 2020: CSW conducted an Internal Review
Feb 10, 2020: Reported to the WSO2 security team
June 05, 2020: Published to the public domain