[Security-news] SA-CONTRIB-2009-070 - Shibboleth authentication - Impersonation, privilege escalation

security-news at drupal.org security-news at drupal.org
Wed Oct 14 17:29:54 UTC 2009


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-070
  * Project: Shibboleth authentication (third-party module)
  * Version: 6.x, 5.x
  * Date: 2009-October-14
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Impersonation, privilege escalation

-------- DESCRIPTION  
---------------------------------------------------------

The Shibboleth authentication module provides user authentication and
authorisation based on the Shibboleth Web Single Sign-on system. The module
does not properly handle the changes of the underlying Shibboleth session.
This can result in impersonation and possible privilege escalation if a user
leaves the browser unattended (ie. after SAML2 Single Logout). A person using
the same browser session but re-authenticated at their IdP might become
logged in as the original user (even accidentally). Dynamic roles which are
provided by the module are based on the attributes of the new user, however
any permissions statically granted to the victim would still be in effect.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Shibboleth authentication versions for Drupal 6.x prior to 6.x-3.2
  * Shibboleth authentication versions for Drupal 5.x prior to 5.x-3.4

Drupal core is not affected. If you do not use the contributed Shibboleth
authentication module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:
  * If you use Shibboleth authentication for Drupal 6.x upgrade to version
    6.x-3.2 [1]
  * If you use Shibboleth authentication for Drupal 5.x upgrade to version
    5.x-3.4 [2]

See also the Shibboleth authentication [3] project page.
-------- REPORTED BY  
---------------------------------------------------------

Kristof Bajnok [4], Shibboleth authentication module maintainer.
-------- FIXED BY  
------------------------------------------------------------

Kristof Bajnok [5], Shibboleth authentication module maintainer.
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/593210
[2] http://drupal.org/node/593212
[3] http://drupal.org/project/shib_auth
[4] http://drupal.org/user/250470
[5] http://drupal.org/user/250470



More information about the Security-news mailing list