2019-02-12 XSS Vulnerability on Logged Out Page

Summary of Vulnerability

This advisory discloses a medium severity XSS-based security vulnerability affecting SAML Single Sign On Plugin Version 2.1.0 until 2.4.7 including, as well as all versions 3.0.x. Versions 0.15.x, 2.0.x, 3.1.x and higher are not affected. 

Please upgrade your Installations immediately to fix this vulnerability.

What You Need to Do

Upgrade to SAML Single Sign On (SSO) Version 2.4.8 or 3.1.0 or higher OR apply the documented workaround.

If you need help with either if these courses of action, please raise a support request via our  Support Portal. 

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.

Workaround

If you are unable to upgrade to a recent version at this point in time, you can alternatively apply the following workaround:

1. Visit our addon's configuration page at https://yourjira/plugins/servlet/samlsso/admin . Authenticate if necessary.
2. Open the tab "Page Templates" and find the entry called "Logged Out Page Template"

3. In the default template, look for the lines 

   #if($loginurl)      <p>
   <a href="$loginurl">Login with username and password</a>
   </p>
   #end

   CODE
4. Depending on your situation, do one of the following:
   1. If you did not find the snippet or any other references to $loginurl because you already forbid login without SSO, you are not vulnerable
   2. If you are not using logout redirection, simply remove the code from the template.
   3. If you are okay with losing the link to username/password login on the logged out page, simply remove the code from the template.
   4. If you want to retain the link to username/password login on the logged out page, you can hard-code the actual URL.
      1. Determine the actual login page URL from the table on Cannot access Jira / Confluence/ Bitbucket/ Bamboo/ Fisheye-Crucible anymore - Bypass SSO

      2. In the page template, replace the snippet above with the following 

         <p>
         <a href="YOUR_NOSSO_LOGIN_URL">Login with username and password</a>
         </p>

         CODE

5. Do not forget to Save the modified config.

6. (Optional) Test your changes by visiting one of the URLs listed in the "Attack Scenario" section.

Details

Prerequisites

To exploit the following prerequisites must be met:

• The SAML Single Sign On addon is installed in a vulnerable version
• The Logged Out Page Template setting contains a link to $loginurl (default setting)
• The attacker can manipulate a victim to visit a prepared link 

Attack scenario

It is possible to set the "loginurl" query parameter of the logged out page (accessible via https://yourjira/plugins/servlet/samlsso/loggedoutpage ) to an arbitrary URL or Javascript code. The user still has to open the crafted link they received from the attacker and then click the "Login with username and password" link.

Once that link is clicked, the user will be redirected to the page given by the attacker or execute the injected Javascript code. The attacker could set up a page resembling the Atlassian app's login page, into which users may enter their credentials. These could then be stolen.

The user's current session is most likely safe (since the JSESSIONID cookie is set to be httpOnly and can therefore not be accessed via the Javascript context).

Sample crafted Proof-of-Concept URLs:

https://yourjira/plugins/servlet/samlsso/loggedoutpage?loginurl=http://www.google.com 

https://yourjira/plugins/servlet/samlsso/loggedoutpage?loginurl=javascript:alert(1)