SECURITY ADVISORY: Shibboleth 2 IdP Error Page Vulnerable to Cross-site Request Attack

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SECURITY ADVISORY: Shibboleth 2 IdP Error Page Vulnerable to Cross-site Request Attack

Chad La Joie
Shibboleth IdP 2.X cross-site request attack
==================================

All current versions of the Shibboleth 2 IdP are vulnerable to a
cross-site attack during certain error conditions.  Such attacks could
allow attackers to phish credentials, steal active session, or otherwise
intercept user/idp communications.

Affected Systems
===========
All current versions of the Shibboleth 2 IdP.

Addressing the Issue
===========
Within the Shibboleth IdP distribution bundle (the directory structure
created by expanding the downloaded archive from the shibboleth site)
edit the file 'src/main/webapp/error.jsp' and remove the following lines
(lines 20 - 25 in the default file).

        <%
       Throwable error = (Throwable)
request.getAttribute(AbstractErrorHandler.ERROR_KEY);
           if(error != null){
        %>
        <strong>Error Message: <%= error.getMessage() %></strong>
        <% } %>

Then, re-run the installation script (this time answering "no" when
asked if you want to overwrite your existing configuration) and restart
your Servlet container.

All error messages will still be include in the IdP's log file but the
simpler error message will not be displayed to the user.

The next bugfix release of Shibboleth, currently scheduled for release
in 1 - 1.5 weeks, will contain the fix for this issue and re-enable the
display of the simpler error messages.

Credits
===========
Mike Suvanto, from CSC, for finding the bug

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Z├╝rich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch