[Security-news] shib_auth Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-043

security-news at drupal.org security-news at drupal.org
Wed May 3 16:22:49 UTC 2017


View online: https://www.drupal.org/node/2875366

   * Advisory ID: DRUPAL-SA-CONTRIB-2017-043
   * Project: Shibboleth authentication [1]     (third-party module)
   * Version: 7.x
   * Date: 2017-May-03
   * Security risk: 13/25 ( Moderately Critical)
     AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
   * Vulnerability: Access bypass, Information Disclosure

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to login via Shibboleth.

The module doesn't sufficiently logout the user when the shib session
expires, which depending on the caching mechanism makes private data public.

This vulnerability is mitigated by the fact that shib_auth would have to be
used in combination with a caching mechanism which caches content for
authenticated users.


-------- VERSIONS AFFECTED
---------------------------------------------------

   * 7.x-4.x versions prior to 7.x-4.4.

Drupal core is not affected. If you do not use the contributed Shibboleth
authentication [3] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the shib_auth module for Drupal 7.x, upgrade to shib_auth
     7.x-4.4 [4]

Also see the Shibboleth authentication [5] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Bart Vanderstukken [6]

-------- FIXED BY
------------------------------------------------------------

   * Kristof Bajnok [7] The module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Michael Hess [8] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and  securing your site [12].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]


[1] https://www.drupal.org/project/shib_auth
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/shib_auth
[4] https://www.drupal.org/project/shib_auth/releases/7.x-4.4
[5] https://www.drupal.org/project/shib_auth
[6] https://www.drupal.org/u/sneakyvv
[7] https://www.drupal.org/u/bajnokk
[8] https://www.drupal.org/u/mlhess
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity



More information about the Security-news mailing list