Shibboleth Service Provider Security Advisory [2 October 2006] Updated versions of the Shibboleth 1.3 and 1.2.1 Service Provider software are now available which correct a security issue. This is a MAJOR security issue and deployers are urged to review the information below and upgrade their installations at the soonest possible time. Critical applications that may be vulnerable should be taken offline until the upgrade is performed. Shibboleth SP software vulnerable to alternate URL encodings ============================================================= Shibboleth includes the ability to configure session requirements using an XML syntax that is independent of the underlying web server platform. To implement this feature, requests are processed and compared to path expressions in the XML. URLs submitted by clients can contain specially encoded characters within the path. Current versions of Shibboleth mistakenly process the encoded request path, allowing specially crafted requests to bypass the intended comparison, causing unintended exposure of resources. All versions of Shibboleth are vulnerable to this issue; however configurations which rely on Apache .htaccess files and related syntax (e.g. the ShibRequireSession command) are NOT vulnerable to this problem. Recommendations --------------- All sites using 1.3 should upgrade to the latest patched release, 1.3f All sites using 1.2.1 should upgrade to the latest patched release, 1.2.1d SP deployments running earlier versions of Shibboleth are urged to upgrade to version 1.3f, or contact the Shibboleth team for assistance. For users running Windows, a new package and post-install set for version 1.3f has been created and is available at the download site. New RPMs (1.3-11) have been created on all supported platforms and updated Solaris packages and Mac binaries are also available. http://shibboleth.internet2.edu/latest.html A source patch is available for version 1.2.1, the last supported version prior to 1.3. The updated source distribution, 1.2.1d, is here: http://shibboleth.internet2.edu/downloads/archive/shibboleth-sp-1.2.1d.tar.gz Credits ------- Thanks to Nic Bauters for reporting this problem. URL for this Security Advisory: http://shibboleth.internet2.edu/secadv/secadv_20061002.txt