Shibboleth Developers

["Scott Cantor" <>]

Shibboleth Service Provider Security Advisory [1 September 2005]

A security issue has been identified in the Shibboleth 1.2.x and 1.3
Service Provider software. A patch is under development for at least
the 1.3 version, and may be available for 1.2.x in the future.


Lazy session mechanism vulnerable to header spoofing
====================================================

Shibboleth supports a concept called lazy sessions, fully described
at https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/LazySession

When lazy sessions are used, the code in Shibboleth that is designed
to clear out the potential headers that could contain authentication
and attribute information is not run. This means that a client could
supply a spoofed header with the right name and fool an application
into believing that the header was set by the Shibboleth software.

When the normal "requireSession" mechanism is used, which enforces
a session based on the URL of the request, this code always runs if
the request is passed along to the web server for processing at all.

All versions of Shibboleth that support lazy sessions are vulnerable
to this issue (1.2 and later).


Recommendations
---------------

A patch is not yet available to correct this issue. This advisory
will be updated when it is finished. Until such time, SP deployments
are urged to disable the use of lazy sessions and rely only on
mandatory session establishment.

Credits
-------
Thanks to Velpi for reporting this problem.

URL for this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20050901.txt