Reflected Cross-Site Scripting Vulnerability in Ellucian Ethos Identity CAS Logout Page

By: Andrew Schoonmaker and Clint Kehr

The authors would like to thank the Ellucian Product Security Team for their partnership and swift action in remediating this vulnerability.

Summary: We identified a Reflected Cross-Site Scripting (XSS) vulnerability in the Ellucian Ethos Identity CAS logout endpoint. This is only exploitable in a CAS deployment.

CVSS: 4.7 (Medium)

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

We wrote this blog to highlight the process we followed to escalate an arbitrary domain redirect into a cross-site scripting (XSS) vulnerability that required bypassing strong input validation controls.

In late April 2023, we discovered when logging out of a college website, that there was a “url” parameter present within the URI that controlled a redirect value in an html tag stating, “Return to your application.”

Changing the url parameter to an arbitrary origin, such as “example.com,” or “abcd” created an href attribute to that domain:

(Figure 1: “url” parameter allows for arbitrary origins reflected in an href attribute)

Further research resulted in finding a second parameter, “service,” also allowing arbitrary origins to be rendered as an href attribute.

(Figure 2: “service” parameter allows for arbitrary origins reflected in an href attribute)

Attempting to use the word “javascript,” along with a colon resulted in the payload being blocked by the WAF.

Analyzing the HTML further, we added a double quote along with a closing angle bracket, which allowed for successful HTML injection.

(Figure 3: String breakout from href attribute)

Through trial and error of HTML tags, we were able to discover that only a few were able to bypass WAF protections. These included <iframe>, <svg>, and <image>. We were then able to inject iframes from 3rd party domains into the webpage.

(Figure 4: Bypassing WAF protections to inject an iframe from a 3rd party source)

Although manipulating the href attribute to an arbitrary origin and HTML injection was sufficient to prove a vulnerability existed, we wanted to further prove out XSS was possible. We experimented with Javascript events and learned some, like “onload” were blocked, whereas “onerror” was allowed.

(Figure 5: WAF Bypass using Javascript “onerror” event)

With the significant hurdles attempting to bypass input validation controls, we were finally able to find a successful bypass with the following payload:

https://<redacted>/cas/logout?url=http://example.com%22%3E%3Csvg%3E%3Cimage%20xlink:href=%22path/to/image.jpg%22%20onerror=confirm(document.location)%3E

(Figure 6: full bypass resulting in successful XSS)

After successfully bypassing the WAF and executing XSS, we discovered that other colleges were using the same software and possibly vulnerable. We then contacted the vendor, Ellucian, and reported the vulnerability to them. Below is the timeline of events.

Timeline:

April 19, 2023 — Vulnerability discovered

April 20, 2023 — Ellucian Product Security Team notified

May 9, 2023 — Vulnerability remediated by Ellucian

May 20, 2023 — assigned CVE-2023-2822