Bug#985405: src:shibboleth-sp: Error templates allow query-based override of variables
Ferenc Wágner
wferi at debian.org
Wed Mar 17 15:03:25 GMT 2021
Package: src:shibboleth-sp
Version: 3.0.2+dfsg1-1
Severity: important
Tags: upstream patch security
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-922
Shibboleth Service Provider Security Advisory [17 March 2021]
An updated version of the Service Provider software is available
which fixes a phishing vulnerability.
Template generation allows external parameters to override placeholders
======================================================================
The SP includes a primitive template engine used to render error pages
and various other status or transition pages, and it supports a syntax
for embedding placeholders that are replaced by internally supplied
values or configuration settings.
For reasons that are unclear in the code history, it was extended to
allow replacement via query parameters also, though this is not a
typical need. Because of this feature, it's possible to cause the SP
to display some templates containing values supplied externally by
URL manipulation. Though the values are encoded to prevent script
injection, the content nevertheless appears to come from the server
and so would be interpreted as trustworthy, allowing email addresses,
logos, or support URLs to be manipulated by an attacker.
All platforms are impacted by this issue.
Recommendations
===============
Update to V3.2.1 or later of the Service Provider software, which
is now available.
The update adds a new <Errors> setting to the configuration called
externalParameters, which defaults to false. When false, support for
this "feature" is disabled. In the unlikely event that a valid need
for this exists, the setting can be enabled temporarily to maintain
function until the use case requiring it is addressed in some other
way.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
d1dbebfadc1bdb824fea63843c4c38fa69e54379
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210317.txt
More information about the Pkg-shibboleth-devel
mailing list