############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: PingID (MFA) [1] # Vendor: Ping Identity Corporation # CSNC ID: CSNC-2017-013 # Subject: Reflected Cross-Site Scripting # Risk: High # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 18.04.2017 # ############################################################# Introduction: ------------- With PingID MFA, you can easily control when your users need to authenticate with a second factor. You can configure your policies based upon the following: Group - Require MFA for members of a specific group. Application - Require MFA for specific applications. Geofence - Require MFA if the user is outside a pre-set geofence. Rooted or Jailbroken device - Require MFA if the user’s device is rooted or jailbroken. Network IP - Require MFA if the device isn’t in a specific IP range. PingID MFA delivers the granular security that your policies require with the ease of use your users want. [1] Compass Security discovered a web application security flaw in PingID's authentication process, which allows an attacker to manipulate the resulting website. This allows, for instance, attacking the user's browser or redirecting the user to a phishing website. Technical Description --------------------- During the authentication process, a message parameter is used, which can be manipulated. If this parameter contains JavaScript code, it is executed in the user's browser. Exploiting the vulnerability will lead to so-called Cross-Site Scripting (XSS), allowing the execution of JavaScript in the context of the victim. Request: POST /pingid/ppm/auth/otp HTTP/1.1 Host: authenticator.pingone.com [CUT] Referer: https://authenticator.pingone.com/pingid/ppm/auth/otp Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 44 otp=123456&message= Response: HTTP/1.1 200 OK Date: Thu, 13 Apr 2017 11:21:45 GMT Server: Cache-Control: no-cache, no-store [CUT] Connection: close X-Content-Type-Options: nosniff Content-Length: 8313 [CUT] [CUT]
[CUT] Workaround / Fix: ----------------- This issue can be fixed by properly encoding all output, which is posted back to the user. For instance, using HTML encoding, to convert < to < and > to >. Timeline: --------- 2017-05-16: Coordinated public disclosure date 2017-05-03: Release of fixed version/patch 2017-04-20: Initial vendor response 2017-04-19: Initial vendor notification 2017-04-13: Discovery by Stephan Sekula References: ----------- [1] https://www.pingidentity.com/en/products/pingid.html