Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[SBA-ADV-20190305-01] CVE-2019-13564: Ping Identity Agentless Integration Kit <1.5 Reflected Cross-site Scripting (XSS)

Related Vulnerabilities: CVE-2019-13564  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#33">By Date</a>
<a href="34"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#33">By Thread</a>
<a href="34"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[SBA-ADV-20190305-01] CVE-2019-13564: Ping Identity Agentless Integration Kit &lt;1.5 Reflected Cross-site Scripting (XSS)</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: SBA Research Advisory &lt;advisory () sba-research org&gt;


<em>Date</em>: Thu, 29 Aug 2019 16:56:46 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;"># Ping Identity Agentless Integration Kit Reflected Cross-site Scripting (XSS) #

Link: 
<a rel="nofollow" href="https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190305-01_Ping_Identity_Agentless_Integration_Kit_Reflected_XSS">https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190305-01_Ping_Identity_Agentless_Integration_Kit_Reflected_XSS</a>

## Vulnerability Overview ##

Ping Identity Agentless Integration Kit before 1.5 is susceptible to
Reflected Cross-site Scripting at the `/as/authorization.oauth2`
endpoint due to improper encoding of an arbitrarily submitted HTTP
GET parameter name.

* **Identifier**            : SBA-ADV-20190305-01
* **Type of Vulnerability** : Cross-site Scripting
* **Software/Product Name** : [Ping Identity Agentless Integration 
Kit](<a rel="nofollow" href="https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide.html">https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide.html</a>)
* **Vendor**                : [Ping Identity](<a rel="nofollow" href="https://www.pingidentity.com/">https://www.pingidentity.com/</a>)
* **Affected Versions**     : &lt; 1.5
* **Fixed in Version**      : 1.5
* **CVE ID**                : CVE-2019-13564
* **CVSSv3 Vector**         : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* **CVSSv3 Base Score**     : 6.1 (Medium)

## Vendor Description ##

</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">After authenticating the user (via a federated security token or
authentication adapter), the user will be presented to the protected
application via an SP adapter. This adapter provides the last-mile
connection between the federation server (PingFederate) and the
application, the user will be presented to the application which can
then create a session and render the application for the
authenticated user.
</pre></blockquote><pre style="margin: 0em;">
Source: 
&lt;<a rel="nofollow" href="https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide/last-mile-integration.html">https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide/last-mile-integration.html</a>&gt;

## Impact ##

By exploiting the documented vulnerability, an attacker can execute
JavaScript code in a victim's browser within the origin of the target
site. This can be misused, for example, for phishing attacks by
displaying a fake login form in the context of the trusted site via
JavaScript and then sending the victim's credentials to the attacker.

## Vulnerability Description ##

The `/as/authorization.oauth2` endpoint of PingFederate takes several
HTTP GET parameter name-value pairs, which are subsequently rendered
as an HTML form with hidden input fields.

```text
<a rel="nofollow" href="https://idp.example.com/as/authorization.oauth2?response_type=code&amp;client_id=CLIENT&amp;redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb">https://idp.example.com/as/authorization.oauth2?response_type=code&amp;client_id=CLIENT&amp;redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb</a>
```

The name of the HTTP parameter is rendered as the `name` attribute of
the corresponding input field, and the HTTP parameter value is rendered
as the `value` attribute. The content of the `value` attribute is HTML-
encoded and therefore not susceptible to XSS. However, the content of
the `name` attribute is written to the HTML document without any
encoding or sanitization.

## Proof of Concept ##

An attacker can exploit this vulnerability by ending the HTML attribute
and element and then inserting, for example, a `script` tag.

```text
<a rel="nofollow" href="https://idp.example.com/as/authorization.oauth2?response_type=code&amp;client_id=CLIENT&amp;redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb&amp;%22%3E%3Cscript%3Ealert">https://idp.example.com/as/authorization.oauth2?response_type=code&amp;client_id=CLIENT&amp;redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb&amp;%22%3E%3Cscript%3Ealert</a>(1)%3C%2fscript%3E
```

The last parameter reads as follows when URL-decoded:

```html
"&gt;&lt;script&gt;alert(1)&lt;/script&gt;
```

This leads to the following HTML response (shortened for readability):

```html
&lt;form method="post" action="[...]"&gt;
    &lt;input type="hidden" name="REF" value="[...]"/&gt;
    &lt;!-- ... --&gt;
    &lt;input type="hidden" name=""&gt;&lt;script&gt;alert(1)&lt;/script&gt;" value=""/&gt;
    &lt;!-- ... --&gt;
&lt;/form&gt;
```

## Recommended Countermeasures ##

We recommend to HTML-encode the parameter name the same way the
parameter value is encoded.

## Timeline ##

* `2019-03-05` Identified the vulnerability in version &lt; 1.5
* `2019-03-25` Contacted the vendor via support
* `2019-05-24` Finding review with Ping Identity and SBA Research
* `2019-07-11` Publication of CVE-2019-13564

## References ##

* [NIST NVD entry of CVE-2019-13564](<a rel="nofollow" href="https://nvd.nist.gov/vuln/detail/CVE-2019-13564">https://nvd.nist.gov/vuln/detail/CVE-2019-13564</a>)

## Credits ##

* Thomas Konrad ([SBA Research](<a rel="nofollow" href="https://www.sba-research.org/">https://www.sba-research.org/</a>))
</pre><p><strong>Attachment:
<a href="att-33/0xFBB8862F58F775B2_asc.bin"><tt>0xFBB8862F58F775B2.asc</tt></a></strong>

<em>Description:</em> </p>
<p><strong>Attachment:
<a href="att-33/signature_asc.bin"><tt>signature.asc</tt></a></strong>

<em>Description:</em> OpenPGP digital signature</p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#33">By Date</a>
<a href="34"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#33">By Thread</a>
<a href="34"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[SBA-ADV-20190305-01] CVE-2019-13564: Ping Identity Agentless Integration Kit &lt;1.5 Reflected Cross-site Scripting (XSS)</strong> <em>SBA Research Advisory (Aug 30)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started