mailing list archives
JOIDS (Java OpenID Server) multiple vulnerabilities
From: Bartlomiej Balcerek <Bartlomiej.Balcerek () pwr edu pl>
Date: Tue, 04 Mar 2014 11:59:22 +0100
This is a public disclosure (with disarmed Proof of Concept) of
unpatched vulnerabilities in JOIDS (Java OpenID Server).
"JOIDS (Java OpenID Server) is a multi-domain, multi-user OpenID
Provider based on OpenID4Java, Spring Framework, Hibernate, Velocity"
JOIDS version 1.2.1 (current) and probably prior versions are prone to
reflected XSS'es and session fixation vulnerabilities. As Vendor
failed to issue a patch (see below) application may be considered as
vulnerable and not supported any more.
24.11.2013 - Vendor notified
01.12.2013 - Vendor response: "no time to fix"
04.01.2014 - Vendor notified of possible disclosure (no answer)
04.03.2014 - Public disclosure
Vulnerabilities' details are below. Remaining attributes, not relevant
to vulnerabilities, but required by OpenID provider have been removed.
1) XSS in openid.identity parameter. Example:
2) XSS in openid.realm parameter. Example:
Above bugs can lead to stealing user's session cookie by an attacker or
a Relying Party. Session cookie is a part of a Web page source, so
HttpOnly attribute does not protect cookies from these XSS attacks.
3) Session fixation
It is possible for an attacker to trick legitimate user to click link
and wait until the user logs in. After that, the attacker can use this
jsessioid to forge his cookie and get access to OpenID server with
Wroclaw Centre for Networking and Supercomputing
- JOIDS (Java OpenID Server) multiple vulnerabilities Bartlomiej Balcerek (Mar 04)