Project

General

Profile

Support #51350

Where to report Security Issues

Added by Victor Schönfelder 3 days ago. Updated 2 days ago.

Status:
Fermé
Priority:
Normal
Assignee:
-
Category:
SAMLv2
Target version:
Start date:
22 Feb 2021
Due date:
% Done:

0%

Estimated time:
Patch proposed:
No
Planning:
No

Description

Hello,
what is the preferred place to report possible Security Issues in Lasso?
Thank you in advance

History

#1

Updated by Frédéric Péters 3 days ago

Hi! You can send me an email at , my PGP ID is 7149 147D F2F4 6AE0 3D55 6E3B 2AE9 01E5 C702 18D2.

#2

Updated by Benjamin Dauvergne 2 days ago

Weakness: XML Node Splitting

There is no security problem here, users of the Lasso library are expected to iterate the LassoMiscTextNode from the AttributeValue.any linked list to build the full string value, see for example https://git.entrouvert.org/django-mellon.git/tree/mellon/views.py#n217

Weakness: Processing multiple Assertions

It's not possible to add assertions as the Response is always signed also and anyway no IdP ever sent multiple assertions in production and no client I know about expected it, so it's not a real problem either (they would just be ignored). And when using the "Artifact" binding, it's not even possible to intercept AuthnResponse and modify them.

In the grand scheme of thing XMLSEC is an abomination anyway that provide only fake security. See https://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt for a full report on it.

PS: the objection about signature on the AuthnResponse also apply to the first weakness, you will not be able to modify the response.

#3

Updated by Benjamin Dauvergne 2 days ago

  • Status changed from Nouveau to Fermé

Also available in: Atom PDF