=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN115
_____________________________________________________________________

DATE                      : 07/04/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Shibboleth IdP versions  2.X.

======================================================================
http://shibboleth.internet2.edu/secadv/secadv_20090224.txt
______________________________________________________________________

Shibboleth IdP 2.X cross-site request attack
==================================

All current versions of the Shibboleth 2 IdP are vulnerable to a cross-site
attack during certain error conditions.  Such attacks could allow attackers to
phish credentials, steal active session, or otherwise intercept user/idp
communications.

Affected Systems
===========
All current versions of the Shibboleth 2 IdP.

Addressing the Issue
===========
Within the Shibboleth IdP distribution bundle (the directory structure created
by expanding the downloaded archive from the shibboleth site) edit the file
'src/main/webapp/error.jsp' and remove the following lines (lines 20 - 25 in
the default file).

	<%
       Throwable error = (Throwable)
request.getAttribute(AbstractErrorHandler.ERROR_KEY);
	   if(error != null){
	%>
	<strong>Error Message: <%= error.getMessage() %></strong>
	<% } %>

Then, re-run the installation script (this time answering "no" when asked if you
want to overwrite your existing configuration) and restart your Servlet container.

All error messages will still be include in the IdP's log file but the simpler
error message will not be displayed to the user.

Shibboleth IdP 2.2.0 will contain the fix for this issue and allow
re-enablement of display error messages.

Credits
===========
Mike Suvanto, from CSC, for finding the bug

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================