Phishing vulnerability: Template generation allows external parameters to override placeholders
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| shibboleth-sp (Debian) |
Fix Released
|
Unknown
|
|||
| shibboleth-sp (Ubuntu) |
Fix Released
|
Medium
|
Steve Beattie | ||
Bug Description
Upstream advisory: https:/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Service Provider Security Advisory [17 March 2021]
An updated version of the Service Provider software is available
which fixes a phishing vulnerability.
Template generation allows external parameters to override placeholders
=======
The SP includes a primitive template engine used to render error pages
and various other status or transition pages, and it supports a syntax
for embedding placeholders that are replaced by internally supplied
values or configuration settings.
For reasons that are unclear in the code history, it was extended to
allow replacement via query parameters also, though this is not a
typical need. Because of this feature, it's possible to cause the SP
to display some templates containing values supplied externally by
URL manipulation.
Though the values are encoded to prevent script injection, the content
nevertheless appears to come from the server and so would be interpreted
as trustworthy, allowing email addresses, logos and style sheets, or
support URLs to be manipulated by an attacker.
All platforms are impacted by this issue.
Recommendations
===============
Update to V3.2.1 or later of the Service Provider software, which
is now available.
The update adds a new <Errors> setting to the configuration called
externalParameters, which defaults to false. When false, support for
this "feature" is disabled. In the unlikely event that a valid need
for this exists, the setting can be enabled temporarily to maintain
function until the use case requiring it is addressed in some other
way.
In the event that an update is not possible, reducing or eliminating
some of the more sensitive template replacement values with static
values in the templates may decrease the impact.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
d1dbebfadc1bdb8
Credits
=======
Toni Huttunen, Fraktal Oy
History
=======
Edited to add credit, and a bit more discussion of style sheet risk
and workarounds.
URL for this Security Advisory:
https:/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiE
eWJQtBAAp3xxDvD
lZlxHzvXb6dg+
LXaDsz7u4DDQ4OB
hnQKZ7i7mQobh61
Z/nuZ6Z/
r4izd97H7nptnuz
3f9Eei/
S66o9uQG3y55Qp9
eJhl3/cCenOyN9p
ld3Amkcpo/
RJUrsmhKRcQKMbf
=tv1A
-----END PGP SIGNATURE-----
Upstream bug: https:/
Upstream patch: https:/
CVE References
| description: | updated |
| information type: | Private Security → Public Security |
| Changed in shibboleth-sp (Debian): | |
| status: | Unknown → Confirmed |
| Etienne Dysli Metref (etienne-dysli-metref) wrote | #1 |
| description: | updated |
| summary: |
- Template generation allows external parameters to override placeholders + Phishing vulnerability: Template generation allows external parameters + to override placeholders |
| Changed in shibboleth-sp (Ubuntu): | |
| importance: | Undecided → Medium |
| Changed in shibboleth-sp (Debian): | |
| status: | Confirmed → Fix Released |
| Etienne Dysli Metref (etienne-dysli-metref) wrote | #2 |
| Etienne Dysli Metref (etienne-dysli-metref) wrote | #3 |
| Steve Beattie (sbeattie) wrote | #4 |
| Changed in shibboleth-sp (Ubuntu): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Steve Beattie (sbeattie) wrote | #5 |
| Changed in shibboleth-sp (Ubuntu): | |
| status: | New → In Progress |
| Launchpad Janitor (janitor) wrote | #6 |
| Changed in shibboleth-sp (Ubuntu): | |
| status: | In Progress → Fix Released |
Patch for focal copied from Debian buster's 3.0.4 security fix.