2019-02-12 XSS Vulnerability on Logged Out Page
Summary | XSS Vulnerability on Logged Out Page |
|---|---|
Advisory Release Date | 2019/02/12 |
Products | SAML Single Sign On (SSO) for JIRA SAML Single Sign On (SSO) for Confluence SAML Single Sign On (SSO) for Bitbucket |
Affected SAML SSO versions | 2.1.0 - 2.4.7 & 3.0.x |
Fixed SAML SSO versions | The vulnerability has been fixed for versions 2.4.8 and 3.1.0 of the plugin. A workaround exists for all affected versions. |
CVSS 3.0 Vector String | |
CVSS 3.0 Score | 6.1 (Base), 5.5 (Temporal) → Medium |
Summary of Vulnerability
This advisory discloses a medium severity XSS-based security vulnerability affecting SAML Single Sign On Plugin Version 2.1.0 until 2.4.7 including, as well as all versions 3.0.x. Versions 0.15.x, 2.0.x, 3.1.x and higher are not affected.
Please upgrade your Installations immediately to fix this vulnerability.
What You Need to Do
Upgrade to SAML Single Sign On (SSO) Version 2.4.8 or 3.1.0 or higher OR apply the documented workaround.
If you need help with either if these courses of action, please raise a support request via our Support Portal.
Support
If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.
Workaround
If you are unable to upgrade to a recent version at this point in time, you can alternatively apply the following workaround:
Visit our addon's configuration page at https://yourjira/plugins/servlet/samlsso/admin . Authenticate if necessary.
Open the tab "Page Templates" and find the entry called "Logged Out Page Template"
In the default template, look for the lines
- #if($loginurl) <p>
- <a href="$loginurl">Login with username and password</a>
- </p>
- #end
Depending on your situation, do one of the following:
If you did not find the snippet or any other references to $loginurl because you already forbid login without SSO, you are not vulnerable
If you are not using logout redirection, simply remove the code from the template.
If you are okay with losing the link to username/password login on the logged out page, simply remove the code from the template.
If you want to retain the link to username/password login on the logged out page, you can hard-code the actual URL.
Determine the actual login page URL from the table on (6.14.x) Cannot access Jira / Confluence/ Bitbucket/ Bamboo/ Fisheye-Crucible anymore - Bypass SSO
In the page template, replace the snippet above with the following
- <p>
- <a href="YOUR_NOSSO_LOGIN_URL">Login with username and password</a>
- </p>
Do not forget to Save the modified config.
(Optional) Test your changes by visiting one of the URLs listed in the "Attack Scenario" section.
Details
Prerequisites
To exploit the following prerequisites must be met:
The SAML Single Sign On addon is installed in a vulnerable version
The Logged Out Page Template setting contains a link to $loginurl (default setting)
The attacker can manipulate a victim to visit a prepared link
Attack scenario
It is possible to set the "loginurl" query parameter of the logged out page (accessible via https://yourjira/plugins/servlet/samlsso/loggedoutpage ) to an arbitrary URL or Javascript code. The user still has to open the crafted link they received from the attacker and then click the "Login with username and password" link.
Once that link is clicked, the user will be redirected to the page given by the attacker or execute the injected Javascript code. The attacker could set up a page resembling the Atlassian app's login page, into which users may enter their credentials. These could then be stolen.
The user's current session is most likely safe (since the JSESSIONID cookie is set to be httpOnly and can therefore not be accessed via the Javascript context).
Sample crafted Proof-of-Concept URLs:
https://yourjira/plugins/servlet/samlsso/loggedoutpage?loginurl=http://www.google.com
https://yourjira/plugins/servlet/samlsso/loggedoutpage?loginurl=javascript:alert(1)