shibboleth-dev - Re: Shibboleth Service Provider Security Advisory [1 September 2005]
Subject: Shibboleth Developers
List archive
- From: Simon McLeish <>
- To:
- Subject: Re: Shibboleth Service Provider Security Advisory [1 September 2005]
- Date: Thu, 01 Sep 2005 16:16:24 +0100
Hi Scott,
Sorry to bother you about something which is a relatively minor issue
when you're going to be busy with fixing this, but I noticed that this
advisory didn't get cc'd to the announce list. We're beginning the
process of handing over our IdP support to our main library IT team, and
we were going to recommend that they subscribed to the announce list to
pick things like this up (shib-dev obviously not appropriate, shib-users
too busy with irrelevant stuff once the IdP is up and running smoothly).
Is it generally intended to be the case that security patches will be
announced there, or should I get them to check the website regularly?
Cheers,
Simon
Scott Cantor wrote:
>Shibboleth Service Provider Security Advisory [1 September 2005]
>
>A security issue has been identified in the Shibboleth 1.2.x and 1.3
>Service Provider software. A patch is under development for at least
>the 1.3 version, and may be available for 1.2.x in the future.
>
>
>Lazy session mechanism vulnerable to header spoofing
>====================================================
>
>Shibboleth supports a concept called lazy sessions, fully described
>at https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/LazySession
>
>When lazy sessions are used, the code in Shibboleth that is designed
>to clear out the potential headers that could contain authentication
>and attribute information is not run. This means that a client could
>supply a spoofed header with the right name and fool an application
>into believing that the header was set by the Shibboleth software.
>
>When the normal "requireSession" mechanism is used, which enforces
>a session based on the URL of the request, this code always runs if
>the request is passed along to the web server for processing at all.
>
>All versions of Shibboleth that support lazy sessions are vulnerable
>to this issue (1.2 and later).
>
>
>Recommendations
>---------------
>
>A patch is not yet available to correct this issue. This advisory
>will be updated when it is finished. Until such time, SP deployments
>are urged to disable the use of lazy sessions and rely only on
>mandatory session establishment.
>
>Credits
>-------
>Thanks to Velpi for reporting this problem.
>
>URL for this Security Advisory:
>http://shibboleth.internet2.edu/secadv/secadv_20050901.txt
>
>
>
>
- Shibboleth Service Provider Security Advisory [1 September 2005], Scott Cantor, 09/01/2005
- Re: Shibboleth Service Provider Security Advisory [1 September 2005], Simon McLeish, 09/01/2005
- RE: Shibboleth Service Provider Security Advisory [1 September 2005], Scott Cantor, 09/01/2005
- Re: Shibboleth Service Provider Security Advisory [1 September 2005], Simon McLeish, 09/01/2005
Archive powered by MHonArc 2.6.16.