SecureAuth Version 9.3
ADVISORY SUMMARY
One low-risk vulnerability was discovered within the SecureAuth IdP v9.3 application. This vulnerability could allow malicious high-privilege users to modify usernames to contain an Angular template payload that could potentially be used to steal credentials during the authentication process.
Impact
The SecureAuth application was affected by a client-side template injection vulnerability that can lead to cross-site scripting (XSS) attacks.
Risk Level
Low
Affected Vendor
Product Vendor |
Product Name |
Affected Version |
| SecureAuth | SecureAuth | 9.3 |
Product Description
SecureAuth is an enterprise identity and access-management service. The project’s official website is https://www.secureauth.com/. The latest version of the application is 9.3.0-17, released on June 5, 2020.
Vulnerabilities List:
One vulnerability was identified within the SecureAuth application:
CLIENT-SIDE TEMPLATE INJECTION
Solution
Update to version 9.3.0-17
This vulnerability is described in the following sections.
VULNERABILITY
Client-Side Template Injection
CVE ID |
Security Risk |
Impact |
Access Vector |
| CVE-2020-9437 | Low | Cross-site scripting | Remote |
The /SecureAuth.aspx endpoint's rendering of user-controlled username and email values is vulnerable to AngularJS client-side template injection. XSS payloads contained in the username or email can be executed during the authentication process.
The following AngularJS expression was used to execute a proof-of-concept Javascript payload:
b@{{constructor.constructor('alert(window.location)')()}}.o
The username containing the payload was used to log in, as shown in the request below:
POST /[REDACTED]/SecureAuth.aspx?client_id=[REDACTED] …omitted for brevity…
&ctl00%24ContentPlaceHolder1%24MFALoginControl1%24UserIDView%24ctl00%24ContentPlaceHolder1_MFALoginControl1_UserIDView_txtUserid=b%40%7B%7Bconstructor.constructor%28%27alert%28window.location%29%27%29%28%29%7D%7D.o&ctl00%24ContentPlaceHolder1%24MFALoginControl1%24UserIDView%24ctl00%24ContentPlaceHolder1_MFALoginControl1_UserIDView_btnSubmit=Submit
Figure 2 – SecureAuth login request
After submitting the request, the payload executed on the page, as shown below:
Figure 3 – JavaScript alerting window.location
The payload triggered as an error during the sign-in process, resulting in self-XSS. Alternatively, an attacker could change the email address of another user, such as a malicious administrator, and would be able to use this attack to perform XSS against users during authentication.
Credits
Chris Davis, Consultant, Bishop Fox ([email protected])
Robert Punnett, Senior Consultant, Bishop Fox ([email protected])
Timeline
- Initial discovery: 02/20/2020
- Contact with vendor: 02/24/2020
- Vendor acknowledged vulnerabilities: 02/24/2020
- Vendor released patched version 9.3.0-17: 06/05/2020
- Vulnerability publicly disclosed: 06/19/2020
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
