CVE-2014-7293 NYU OpenSSO Integration XSS (Cross-Site Scripting) Web Security Vulnerability
Exploit Title: NYU OpenSSO Integration Logon Page url Parameter XSS
Product: OpenSSO Integration
Vendor: NYU
Vulnerable Versions: 2.1 and probability prior
Tested Version: 2.1
Advisory Publication: December 29, 2014
Latest Update: December 29, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7293
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Writer: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)
Suggestion Details:
(1) Vendor & Product Description:
Vendor:
NYU
Product & Vulnerable Versions:
OpenSSO Integration
2.1
Vendor URL & Download:
OpenSSO Integration can be obtrained from here,
Product Description:
"NYU has
integrated PDS with Sun's OpenSSO Identity Management application. The
PDS/OpenSSO integration uses PDS as the NYU Libraries' single sign-on
system and leverages NYU's OpenSSO system to provide seamless
interaction between library applications and university services. The
integration merges patron information from OpenSSO (e.g. name, email,
e-resources access) with patron information from Aleph (e.g. borrower
status and type) to ensure access to the multitude of library services."
"The NYU
Libraries operate in a consortial environment in which not all users are
in OpenSSO and not all OpenSSO users are in Aleph. PDS is hosted in an
active/passive capacity on our Primo front-end servers. Due to the
nature of PDS and Aleph, patrons are required to have an Aleph account
in order to login to the library's SSO environment. The exception to
this rule is EZProxy."
"Author: Scot Dalton
Additional author(s):
Institution: New York University
Year: 2009
License: BSD style
Short
description: Use, modification and distribution of the code are
permitted provided the copyright notice, list of conditions and
disclaimer appear in all related material.
Link to terms: [Detailed license terms]"
(2) Vulnerability Details:
NYU Opensso Integration web application has a computer cyber security bug problem. Hacker can exploit it by XSS attacks. This
may allow a remote attacker to create a specially crafted request that
would execute arbitrary script code in a user's browser session within
the trust relationship between their browser and the server.
Other similar
products 0day vulnerabilities have been found by some other bug hunter
researchers before. NYU has patched some of them. Web Security Watch is
an aggregator of security reports coming from various sources. It aims
to provide a single point of tracking for all publicly disclosed
security issues that matter. "Its unique tagging system enables you to
see a relevant set of tags associated with each security alert for a
quick overview of the affected products. What's more, you can now
subscribe to an RSS feed containing the specific tags that you are
interested in - you will then only receive alerts related to those
tags." It has published suggestions, advisories, solutions details
related to website vulnerabilities.
(2.1) The vulnerability occurs at “PDS” service’s logon page, with “&url” parameter,
Reference:
http://cve.mitre.org/cgi-bin/
https://web.nvd.nist.gov/view/
http://seclists.org/
http://www.securityfocus.com/
http://frenchairing.blogspot.fr/2015/06/ping.html
http://computerobsess.blogspot.com/2015/02/cve-2014-7293-nyu-opensso-integration.html
http://whitehatview.tumblr.com/post/110719704806/shellmantis-cve-2014-7293
http://itsecurity.lofter.com/post/1cfbf9e7_5c667f0
http://tetraph.blogspot.com/2015/02/cve-2014-7293-nyu-opensso-integration.html
https://itswift.wordpress.com/2015/02/12/cve-2014-7293
http://lists.kde.org/?a=
http://www.inzeed.com/kaleidoscope/computer-security/cve-2014-7293
http://mathswift.blogspot.com/2015/02/cve-2014-7293-nyu-opensso-integration.html
https://vulnerabilitypost.wordpress.com/2015/02/18/cve-2014-7293
https://computertechhut.wordpress.com/2015/02/10/cve-2014-7293-nyu-opensso
http://diebiyi.com/articles/security/xss-vulnerability/cve-2014-7293
No comments:
Post a Comment