Exploit Title: NYU OpenSSO Integration Logon Page url Parameter XSS
Product: OpenSSO Integration
Vulnerable Versions: 2.1 and probability prior
Tested Version: 2.1
Advisory Publication: December 29, 2014
Latest Update: December 29, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7293
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Writer: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)
(1) Vendor & Product Description:
Product & Vulnerable Versions:
Vendor URL & Download:
OpenSSO Integration can be obtrained from here,
"NYU has integrated PDS with Sun's OpenSSO Identity Management application. The PDS/OpenSSO integration uses PDS as the NYU Libraries' single sign-on system and leverages NYU's OpenSSO system to provide seamless interaction between library applications and university services. The integration merges patron information from OpenSSO (e.g. name, email, e-resources access) with patron information from Aleph (e.g. borrower status and type) to ensure access to the multitude of library services."
"The NYU Libraries operate in a consortial environment in which not all users are in OpenSSO and not all OpenSSO users are in Aleph. PDS is hosted in an active/passive capacity on our Primo front-end servers. Due to the nature of PDS and Aleph, patrons are required to have an Aleph account in order to login to the library's SSO environment. The exception to this rule is EZProxy."
"Author: Scot Dalton
Institution: New York University
License: BSD style
Short description: Use, modification and distribution of the code are permitted provided the copyright notice, list of conditions and disclaimer appear in all related material.
Link to terms: [Detailed license terms]"
(2) Vulnerability Details:
NYU Opensso Integration web application has a computer cyber security bug problem. Hacker can exploit it by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Other similar products 0day vulnerabilities have been found by some other bug hunter researchers before. NYU has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. "Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What's more, you can now subscribe to an RSS feed containing the specific tags that you are interested in - you will then only receive alerts related to those tags." It has published suggestions, advisories, solutions details related to website vulnerabilities.
(2.1) The vulnerability occurs at “PDS” service’s logon page, with “&url” parameter,