====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN137
_____________________________________________________________________

DATE                : 04/05/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Shibboleth authentication for
                              DRUPAL versions 7.x.

=====================================================================
https://www.drupal.org/node/2875366
____________________________________________________________________

shib_auth Moderately Critical - Multiple vulnerabilities -
SA-CONTRIB-2017-043
Posted by Drupal Security Team on 3 May 2017 at 15:35 UTC

    Advisory ID: DRUPAL-SA-CONTRIB-2017-043
    Project: Shibboleth authentication (third-party module)
    Version: 7.x
    Date: 2017-May-03
    Security risk: 13/25 ( Moderately Critical)
               AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
    Vulnerability: Access bypass, Information Disclosure


Description

This module enables you to login via Shibboleth.

The module doesn't sufficiently logout the user when the shib session
expires, which depending on the caching mechanism makes private data
public.

This vulnerability is mitigated by the fact that shib_auth would have
to be used in combination with a caching mechanism which caches content
for authenticated users.


Versions affected

    7.x-4.x versions prior to 7.x-4.4.

Drupal core is not affected. If you do not use the contributed
Shibboleth authentication module, there is nothing you need to do.


Solution

Install the latest version:

    If you use the shib_auth module for Drupal 7.x, upgrade to
     shib_auth 7.x-4.4

Also see the Shibboleth authentication project page.


Reported by

    Bart Vanderstukken


Fixed by

    Bart Vanderstukken
    Kristof Bajnok, the module maintainer


Coordinated by

    Michael Hess of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================