Projet

Général

Profil

Bug #56492

SAML response replay is possible in some cases

Ajouté par Evgenii Kosov il y a plus de 2 ans. Mis à jour il y a environ 2 ans.

Statut:
Fermé
Priorité:
Normal
Assigné à:
Evgenii Kosov
Catégorie:
-
Version cible:
-
Début:
30 août 2021
Echéance:
% réalisé:

0%

Temps estimé:
Patch proposed:
Non
Planning:
Non

Description

The lasso_saml20_login_accept_sso function has anti replay protection, which seems to be generating false negatives in some situations.
As a result I'm able to call lasso_saml20_login_process_authn_response_msg() and lasso_saml20_login_accept_sso() twice for the same SAML response within the same session and get a successful result code, which is NOT expected.

I'm willing to disclose a PoC for the issue upon request from Lasso developers.

Historique

#1

Mis à jour par Benjamin Dauvergne il y a plus de 2 ans

  • Assigné à mis à Evgenii Kosov

Real replay protection MUST be handled by the callers as it must be done against the current time and timestamp on the response and assertions anyway. Lasso is made to be stateless and does not provide any security based on statefull properties (it's usually done by storing assertions/response IDs in a database with timestamps). What's implemented inside accept_sso is a toy replay protection; but I would still be happy to see your PoC here.

#2

Mis à jour par Pierre Cros il y a environ 2 ans

  • Priorité changé de Haut à Normal
#3

Mis à jour par Benjamin Dauvergne il y a environ 2 ans

  • Statut changé de Nouveau à Fermé

Formats disponibles : Atom PDF