[Drupal] Fwd: [Security-news] SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)
Little, Jason
little.129 at osu.edu
Thu Jan 22 12:55:20 EST 2015
> If you can get the admin's browser to go to an arbitrary URL
> while he's logged in then there's a whole lot more that you can do...
For what it's worth, I don't think it was allowing the injection, just using GET inappropriately.
Here's the commit.
http://cgit.drupalcode.org/shib_auth/commit/?id=e44fcde
shib_auth had a path that could be requested to trigger a destructive action instead of using a standard confirm_form approach. So if you could hit "admin/user/shib_auth/delete/%" as an admin it would delete the rule.
This means that any content editor could add an image like this <img src="/admin/user/shib_auth/delete/123" /> and "trick" an admin to going to the malicious page and poof, rule 123 would be gone.
GET requests should never have side effects like that. The standardish drupal away around that is to use the confirm_form function which is what it looks like they changed the code to do
https://api.drupal.org/api/drupal/modules%21system%21system.module/function/confirm_form/7
Looking at the code, it looks like their clone rule code was similarly updated, but I'm guessing that just duplicates an existing rule.
Best,
Jason
________________________________
From: Drupal [drupal-bounces at lists.osu.edu] on behalf of Hicks, Edward S. (Stu) [hicks.367 at osu.edu]
Sent: Thursday, January 22, 2015 12:03 PM
To: Drupal users list; drupal at lists.service.ohio-state.edu
Subject: Re: [Drupal] Fwd: [Security-news] SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)
Their report needs more info. If you can get the admin's browser to go to an arbitrary URL while he's logged in then there's a whole lot more that you can do to than just fiddle with the Shib auto-assignment list.
From: <Little>, Jason <little.129 at osu.edu<mailto:little.129 at osu.edu>>
Reply-To: Drupal users list <drupal at lists.osu.edu<mailto:drupal at lists.osu.edu>>
Date: Wednesday, January 21, 2015 at 10:48 PM
To: Drupal Users <drupal at lists.service.ohio-state.edu<mailto:drupal at lists.service.ohio-state.edu>>
Subject: [Drupal] Fwd: [Security-news] SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)
There's a drupal/shib module security bug (see below). It doesn't sound too bad if you're not auto assigning roles.
Best,
Jason
Sent from my iPad
Begin forwarded message:
From: <security-news at drupal.org<mailto:security-news at drupal.org>>
Date: January 21, 2015 at 6:23:52 PM EST
To: <security-news at drupal.org<mailto:security-news at drupal.org>>
Subject: [Security-news] SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)
Reply-To: <noreply at drupal.org<mailto:noreply at drupal.org>>
View online: https://www.drupal.org/node/2411737
* Advisory ID: DRUPAL-SA-CONTRIB-2015-028
* Project: Shibboleth authentication [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-January-21
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Shibboleth Authentication module allows users to log in and get permissions
based on federated (SAML2) authentication.
The roles that are assigned to users are based on a matching list. A
malicious attacker can delete matching rules from the list by getting the
administrator's browser to make a request to a specially-crafted URL while
the administrator is logged in.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Shibboleth Authentication 6.x-4.x versions prior to 6.x-4.1.
* Shibboleth Authentication 7.x-4.x versions prior to 7.x-4.1.
Drupal core is not affected. If you do not use the contributed Shibboleth
authentication [4] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Shibboleth Authentication module for Drupal 6.x, upgrade
to
6.x-4.1 [5]
* If you use the Shibboleth Authentication module for Drupal 7.x, upgrade
to
7.x-4.1 [6]
Also see the Shibboleth authentication [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [8] provisional member of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Zoltán Kiss [9] and Kristof Bajnok [10] the module maintainers
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [11] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org<http://drupal.org> or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/shib_auth
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/shib_auth
[5] https://www.drupal.org/node/2411269
[6] https://www.drupal.org/node/2411271
[7] https://www.drupal.org/project/shib_auth
[8] https://www.drupal.org/user/2301194
[9] https://www.drupal.org/user/496918
[10] https://www.drupal.org/user/250470
[11] https://www.drupal.org/user/2301194
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
_______________________________________________
Security-news mailing list
Security-news at drupal.org<mailto:Security-news at drupal.org>
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/drupal/attachments/20150122/f9106aaa/attachment.html>
More information about the Drupal
mailing list