Multiple non-persistent XSS vulnerabilities were found
in the Pubcookie login server's compiled binary "index.cgi"
CGI program. The CGI program mishandles untrusted data when
printing responses to the browser. This makes the program
vulnerable to carefully crafted requests containing script
or HTML. If an attacker can lure an unsuspecting user to
visit carefully staged content, the attacker can use it to
redirect the user to his or her local Pubcookie login page
and attempt to exploit the XSS vulnerabilities.
These vulnerabilities are classified as *critical* due
to the nature and purpose of the Pubcookie login server for
user authentication and Web Single Sign-on (SSO). Specific
threats include:
- An attacker who injects malicious script through the
vulnerabilities might steal senstive user data including
a user's authentication credentials (usernames and
passwords);
- An attacker who injects malicious script through the
vulnerabilities might steal private Pubcookie data
including a user's authentication assertion ("granting")
cookies and SSO ("login") session cookies;
- An attacker who injects HTML tags through the
vulnerabilities might deface a site's Pubcookie login page
for a single visit by a single user (i.e. a non-persistent
defacement).
At the heart of these threats lies a violation of the
user's trust in the Pubcookie login server.