May 11, 2020

GHSL-2020-054: XSS in Apache Syncope - CVE-2020-1961

Alvaro Muñoz

Summary

An XSS issue in the EndUser login page was identified in Apache Syncope, combined with GHSL-2020-029 or GHSL-2020-055 this XSS may be escalated into RCE.

Product

Apache Syncope

Tested Version

syncope-2.1.5

Details

Cross-Site Scripting on EndUser login page (GHSL-2020-054, CVE-2020-17557)

The EndUser login page reflects the successMessage parameters with some sanitization (app.js):

component.show(String(message).replace(/<[^>]+>/gm, ''), "success");

However, this sanitization only accounts for closed tags. Unfortunately, most modern browsers will automatically close unclosed tags, thus enabling a bypass.

Impact

Even though the XSS issue is on the login page, it will also trigger if the victim is already logged-in when clicking the malicious link. This is important because if different apps (enduser and core) have the same same origin (scheme+host+port), an attacker may use this XSS to attack a Syncope administrator and send arbitrary requests to the REST API. When mixed with GHSL-2020-029 or GHSL-2020-055, this would allow an attacker to escalate this XSS into RCE.

Remediation

Rather than trying to sanitize the user input, escape the successMessage parameter for HTML context.

This issue was addressed in the following commit

CVE

  • CVE-2020-17557

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 04/01/2020: Report send to Apache
  • 04/02/2020: Issue acknowledged
  • 04/02/2020: Apache sends draft advisory
  • 05/11/2020: Public Advisory

Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-054 in any communication regarding this issue.