Bug #56492
SAML response replay is possible in some cases
0%
Description
The lasso_saml20_login_accept_sso
function has anti replay protection, which seems to be generating false negatives in some situations.
As a result I'm able to call lasso_saml20_login_process_authn_response_msg()
and lasso_saml20_login_accept_sso()
twice for the same SAML response within the same session and get a successful result code, which is NOT expected.
I'm willing to disclose a PoC for the issue upon request from Lasso developers.
Historique
Mis à jour par Benjamin Dauvergne il y a plus de 2 ans
- Assigné à mis à Evgenii Kosov
Real replay protection MUST be handled by the callers as it must be done against the current time and timestamp on the response and assertions anyway. Lasso is made to be stateless and does not provide any security based on statefull properties (it's usually done by storing assertions/response IDs in a database with timestamps). What's implemented inside accept_sso is a toy replay protection; but I would still be happy to see your PoC here.