Summary
An XSS issue in the EndUser login page was identified in Apache Syncope, combined with GHSL-2020-029 or GHSL-2020-055 this XSS may be escalated into RCE.
Product
Apache Syncope
Tested Version
syncope-2.1.5
Details
Cross-Site Scripting on EndUser login page (GHSL-2020-054, CVE-2020-17557)
The EndUser login page reflects the successMessage parameters with some sanitization (app.js):
component.show(String(message).replace(/<[^>]+>/gm, ''), "success");
However, this sanitization only accounts for closed tags. Unfortunately, most modern browsers will automatically close unclosed tags, thus enabling a bypass.
Impact
Even though the XSS issue is on the login page, it will also trigger if the victim is already logged-in when clicking the malicious link. This is important because if different apps (enduser and core) have the same same origin (scheme+host+port), an attacker may use this XSS to attack a Syncope administrator and send arbitrary requests to the REST API. When mixed with GHSL-2020-029 or GHSL-2020-055, this would allow an attacker to escalate this XSS into RCE.
Remediation
Rather than trying to sanitize the user input, escape the successMessage parameter for HTML context.
This issue was addressed in the following commit
CVE
- CVE-2020-17557
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 04/01/2020: Report send to Apache
- 04/02/2020: Issue acknowledged
- 04/02/2020: Apache sends draft advisory
- 05/11/2020: Public Advisory
Resources
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-054 in any communication regarding this issue.