Hello
For info.
Masha
________________________________
From: Chad La Joie [mailto:[log in to unmask]]
Sent: Mon 03-Nov-08 11:23 AM
To: [log in to unmask]
Subject: [Shibboleth-Announce] SECURITY ADVISORY: Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to Cross-site Request Attack
Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to
Cross-site Request Attack
=======================================================
Shibboleth IdP 2.0 includes a login handler that accepts username and
passwords and authenticates the user against systems such as LDAP or
Kerberos domains. This login handler is vulnerable to a cross-site
request attack. Such attacks could allow the attacker to intercept
username/passwords or steal active sessions.
Affected Systems
===========
Shibboleth IdP 2.0 deployments that use the UsernamePassword login handler.
A deployment is using the UsernamePassword login handler if, in the
relying-party.xml, there is an uncommented <LoginHandler> of type
'UsernamePassword'.
Addressing the Issue
=============
All affected deployment should immediately upgrade to Shibboleth IdP 2.1
Credits
=====
Celeste Copeland, from SAS, for finding the bug.
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[log in to unmask], http://www.switch.ch <http://www.switch.ch/>
Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm
|