Reflected Cross-Site Scripting Vulnerability in Ellucian Ethos Identity CAS Logout Page
By: Andrew Schoonmaker and Clint Kehr
The authors would like to thank the Ellucian Product Security Team for their partnership and swift action in remediating this vulnerability.
Summary: We identified a Reflected Cross-Site Scripting (XSS) vulnerability in the Ellucian Ethos Identity CAS logout endpoint. This is only exploitable in a CAS deployment.
CVSS: 4.7 (Medium)
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
We wrote this blog to highlight the process we followed to escalate an arbitrary domain redirect into a cross-site scripting (XSS) vulnerability that required bypassing strong input validation controls.
In late April 2023, we discovered when logging out of a college website, that there was a “url” parameter present within the URI that controlled a redirect value in an html tag stating, “Return to your application.”
Changing the url parameter to an arbitrary origin, such as “example.com,” or “abcd” created an href attribute to that domain:
Further research resulted in finding a second parameter, “service,” also allowing arbitrary origins to be rendered as an href attribute.
Attempting to use the word “javascript,” along with a colon resulted in the payload being blocked by the WAF.
Analyzing the HTML further, we added a double quote along with a closing angle bracket, which allowed for successful HTML injection.
Through trial and error of HTML tags, we were able to discover that only a few were able to bypass WAF protections. These included <iframe>, <svg>, and <image>. We were then able to inject iframes from 3rd party domains into the webpage.
Although manipulating the href attribute to an arbitrary origin and HTML injection was sufficient to prove a vulnerability existed, we wanted to further prove out XSS was possible. We experimented with Javascript events and learned some, like “onload” were blocked, whereas “onerror” was allowed.
With the significant hurdles attempting to bypass input validation controls, we were finally able to find a successful bypass with the following payload:
https://<redacted>/cas/logout?url=http://example.com%22%3E%3Csvg%3E%3Cimage%20xlink:href=%22path/to/image.jpg%22%20onerror=confirm(document.location)%3E
After successfully bypassing the WAF and executing XSS, we discovered that other colleges were using the same software and possibly vulnerable. We then contacted the vendor, Ellucian, and reported the vulnerability to them. Below is the timeline of events.
Timeline:
April 19, 2023 — Vulnerability discovered
April 20, 2023 — Ellucian Product Security Team notified
May 9, 2023 — Vulnerability remediated by Ellucian
May 20, 2023 — assigned CVE-2023-2822