Shibboleth Service Provider Security Advisory [UPDATED 8 November 2005] Updated versions of the Shibboleth 1.3 Service Provider software are now available which correct a security issue. A patch may be made available for earlier versions if conditions warrant and a volunteer can be found to test it. Lazy session mechanism vulnerable to header spoofing ==================================================== Shibboleth supports a concept called lazy sessions, fully described at https://spaces.internet2.edu/display/SHIB/LazySession When lazy sessions are used, the code in Shibboleth that is designed to clear out the potential headers that could contain authentication and attribute information is not run. This means that a client could supply a spoofed header with the right name and fool an application into believing that the header was set by the Shibboleth software. When the normal "requireSession" mechanism is used, which enforces a session based on the URL of the request, this code always runs if the request is passed along to the web server for processing at all. All versions of Shibboleth that support lazy sessions are vulnerable to this issue (1.2 and later). Recommendations --------------- When possible, upgrade to the latest patched release of Shibboleth, 1.3b. SP deployments running earlier versions of Shibboleth are urged to disable the use of lazy sessions and rely only on mandatory session establishment. For users running Windows, a new package and post-install set for version 1.3b has been created and is available at the download site. New RPMs (1.3-7) have also been created for Fedora Core 3. Updated Solaris packages and Mac binaries are also available. http://wayf.internet2.edu/shibboleth/ The Win32 distribution file names are: o win32/shibboleth-sp-1.3b-win32.msi GPG: win32/shibboleth-sp-1.3b-win32.msi.asc o win32/shibboleth-sp-1.3-win32-postinstall.zip GPG: win32/shibboleth-sp-1.3-win32-postinstall.zip.asc Credits ------- Thanks to Velpi for reporting this problem. URL for this Security Advisory: http://shibboleth.internet2.edu/secadv/secadv_20050901.txt