AAF logo

Security Alerts - Shibboleth Service Provider Security Advisory (04-May-2016)

Security stuff

Shibboleth Service Provider Security Advisory (04-May-2016)

Shibboleth has announced a critical security issue that allows an unauthenticated remote attacker to access protected resources, but it affects only a subset of deployers.

Shibboleth SP software feature implemented incorrectly

The Shibboleth SP software contains a feature to specify protection rules and other settings based on evaluating a regular expression against a portion of the requested URL path. It is used by including a element in the construct, in the shibboleth2.xml configuration file.

Note: Deployers that do not make use of the feature are not impacted.

Check your shibboleth2.xml configuration file for the element. If used, check for the ignoreCase attribute in the element.

• If found, reverse the value (true to false, false to true).
• If not found, add ignoreCase=”false” to the element.

Restarting the web server will not be required to effect the change.

Shibboleth information for this Security Advisory can be found here

More information about this feature can be found on the Shibboleth wiki

Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list