Shibboleth Service Provider Security Advisory [9 January 2006] Updated versions of the Shibboleth Service Provider software are now available which correct a security issue. Error templates vulnerable to XSS (cross-site scripting) injection ================================================================== The Shibboleth Service Provider includes an HTML error template mechanism to support customized error handling. The template support includes the ability to substitute error information derived from the runtime error that occurred into the HTML document. A specially crafted request could be used to inject JavaScript into an error template and this can be used to execute scripts in the context of the Shibboleth-protected site, a common technique in XSS attacks. If a user had already logged into a Shibboleth-protected application, the injected script could steal the session cookie and enable user impersonation if IP checking measures were not in effect. All versions of the Shibboleth SP are potentially affected by this issue. NOTE: The Shibboleth IdP contains no known XSS vulnerabilities at this time. However, since user authentication is not formally part of the IdP software, deployers should consider any potential XSS threats resulting from the software used for authentication. Recommendations --------------- When possible, upgrade to the latest patched release of Shibboleth, 1.3c or 1.2.1b SP deployments running earlier versions of Shibboleth are urged to remove at least the "" and "" tags from any deployed templates. Error templates are typically placed in the "etc/shibboleth" folder beneath the SP installation and have a ".html" extension. Other template tags may be removed for protection against any currently unforeseen attack vectors, but this is very unlikely as most other tags are replaced by data supplied either directly by the deployer or from trustworthy sources. The 1.3c patch also enables a new setting called "consistentAddress", which extends the protection applied to sessions and modifies the meaning of the "checkAddress" attribute in shibboleth.xml. For details on this setting and how it will impact existing deployments, please refer to: https://spaces.internet2.edu/display/SHIB/AddressChecking For users running Windows, a new package and post-install set for version 1.3c has been created and is available at the download site. New RPMs (1.3-8) have also been created for Fedora Core 3 and certain other platforms. Updated Solaris packages and Mac binaries are also available. http://wayf.internet2.edu/shibboleth/ The Win32 distribution file names are: o win32/shibboleth-sp-1.3c-win32.msi GPG: win32/shibboleth-sp-1.3c-win32.msi.asc o win32/shibboleth-sp-1.3-win32-postinstall.zip GPG: win32/shibboleth-sp-1.3-win32-postinstall.zip.asc A Windows build of 1.2.1b is not presently available. Windows deployments are strongly urged to follow the workaround described above. Credits ------- Thanks to Jim Fox for reporting this problem and assisting with the fix. URL for this Security Advisory: http://shibboleth.internet2.edu/secadv/secadv_20060109.txt