PR07-06, PR07-07, PR07-08, PR07-09, PR07-10, PR07-12: Several XSS, 
Cross-domain Redirection and Frame Injection on Sun Java System Identity 
Manager

Vulnerability found: 11th June 2007

Vendor informed: 18th June 2007

Severity: Medium

Product description:

"Identity Manager allows customers to automate the process of creating, 
updating, and deleting user accounts across multiple IT systems. 
Collectively, this process is known as provisioning (e.g., creating, 
updating) and deprovisioning (e.g., deleting). For example, when a new 
employee joins a company, Identity Manager will automatically run a 
workflow retrieving the necessary approvals to grant the new employee 
access. Once these approvals are obtained, Identity Manager will 
automatically create user accounts allowing the new employee to do his 
or her job. This may include creating the user account for the new 
employee in the company's HR systems (PeopleSoft), giving him or her 
access to ERP applications (SAP) and/or creating an email account 
(Microsoft Exchange). If the employee changes roles in the company, 
Identity Manager will update the user account and provide access to the 
necessary resources required in that new role. When an employee leaves 
the company, Identity Manager automatically removes his or her user 
accounts to prevent access. By using Identity Manager, the entire 
provisioning and deprovisioning process can be automated--saving the 
customer both time and money." [1]


Problem summary:

The following issues have been found:

- HTML injection via the "cntry" parameter
- XSS via the "lang" parameter
- XSS via the "resultsForm" parameter
- XSS via the "activeControl" parameter
- frame injection via the "helpUrl"
- cross-domain redirects within the "nextPage" parameter

Sun has confirmed the following products to be affected by these issues: 
Sun Java System Identity Manager 6.0, Sun Java System Identity Manager 
7.0, Sun Java System Identity Manager 7.1


More information including proof of concepts can be found on:

http://www.procheckup.com/Vulnerability_PR07-06.php
http://www.procheckup.com/Vulnerability_PR07-07.php
http://www.procheckup.com/Vulnerability_PR07-08.php
http://www.procheckup.com/Vulnerability_PR07-09.php
http://www.procheckup.com/Vulnerability_PR07-10.php
http://www.procheckup.com/Vulnerability_PR07-12.php


Consequences:

- An attacker may be able to inject malicious HTML or scripting code in 
the browser of a user who clicks on a link to Sun Java System Identity 
Manager. This type of attack can result in non-persistent defacement of 
the target site, or the redirection of confidential information to 
unauthorised third parties.

- An attacker may inject frames that embed third-party sites, which can 
help launching phishing attacks by injecting a frame that points to a 
"spoof" login page. Non-persistent defacement of the target site is also 
possible.

- An attacker can redirect victim users to third-party sites after a 
successful logon. Such behaviour can help attackers perform phishing 
attacks.


Fix:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103180-1


References:

[1] http://www.sun.com/software/products/identity_mgr/general_faq.jsp#q_1

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=271729
http://www.procheckup.com/Vulnerabilities.php


Credits: Jan Fry and Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)