Securin Zero-Days

CVE-2020-14446 – Open Redirect in WSO2 Product

Severity:Medium

Vendor

WSO2

Affected Product

WSO2 IS as Key Manager 5.9.0 or earlier, WSO2 Identity Server 5.9.0 or earlier

CVE

CVE-2020-14446

Securin ID

2020-CSW-06-1044

Status

Fixed

Date

February 10, 2020

Description

Client-side open redirect arises when an application incorporates user-controllable data into the target of a redirection in an unsafe way. XSS payload is allowed to redirect the user to the external domain in the product WSO2 Identity Server version 5.9.0.

Proof of Concept (POC):

The following vulnerability was tested on WSO2 Identity Server Manager version 5.9.0 Product.

Issue 01: Client-side URL Redirection.

Figure 01: Navigating to the Policy Administration and Clicking the Add New Entitlement Policy Link.

 

Figure 02: Clicking the Write Policy in XML opens the URL and Editor.

 

Figure 03: Entering the domain http://evil.com in the variable CallbackURL.

 

Figure 04: Entered domain saved in the DOM object and reflected in the Response body.

 

Figure 05: Forwarding the request and clicking the Cancel button triggers the URL navigation script and redirects to the custom entered domain.

Impact

An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.

Remediations

Download and apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-identity-framework/pull/2848

Timeline

Jan 31,2020: Discovered in WSO2 Identity Server Manager version 5.9.0

Feb 04, 2020: CSW conducted an Internal Review

Feb 10, 2020: Reported to the WSO2 security team

June 05, 2020: Published to the public domain

Let Securin level up your security posture!