201709-01

Cross Site Scripting (XSS) in the consentAdmin module

Background

The consentAdmin module is an addition to the consent module that allows users to view and manage the consent given to send attributes to third-party services. Users of an Identity Provider can leverage this module to keep track of what attributes are sent to what services, and withdraw any existing consent.

Description

A Cross Site Scripting (XSS) issue has been found in the consentAdmin module, allowing an attacker to manually craft links that a victim can open, executing arbitrary javascript code.

The module exposes one single page where users can view and withdraw all consents given to services to retrieve their attributes. This page includes a link that allows users to log out and terminate their session. The way this link was built, the current URL as observed by the server was used, with an additional parameter that starts the logout process. Since the URL was not properly sanitised, a malicious third party can build a URL that includes Javascript code that will be executed by the victim’s web browser.

This issue has been fixed by ignoring the current URL and building the link manually to point to the current page with the additional parameter that is needed to start the logout process.

Affected versions

All SimpleSAMLphp versions before and including 1.14.15.

Impact

When the consentAdmin module is enabled and configured in an Identity Provider, an attacker can leverage this issue to manually craft URLs that include Javascript code executed by the victim’s web browser.

Resolution

Upgrade to the latest version. When an upgrade is not possible immediately, the consentAdmin module should be disabled until the upgrade can be performed.