During an internal security audit of our Rapid IdP product the AAF technical team has discovered an attack vector in one recommended configuration of the Shibboleth IdP when using Jetty and Apache. We recommend an audit of all deployed IdPs to assess whether this advice is applicable.

If the server is misconfigured, a malicious client can bypass IP-based authentication that Shibboleth uses for testing and health check endpoints by providing the X-Forwarded-For proxy header. This can result in the disclosure of server environment information and user attributes to arbitrary clients. To mitigate this, proxy headers must be sanitised.

AAF has updated the example Apache configuration provided in the IdP Installer to mitigate this by default.

Recommendation

IdPs should review their deployment and adopt necessary changes as soon as practical. The configuration is available from the latest revision of the IdP Installer:

https://github.com/ausaccessfed/shibboleth-idp-installer/blob/7f38d696/assets/idp.example.edu.dist/apache/idp.conf#L58-L66

Please note that the change to the IdP Installer only affects the example config that is used when creating a new IdP. For existing IdP you will need to modify the file /opt/shibboleth-idp-installer/repository/assets/[SERVER-NAME]/apache/idp.conf. Then run idp_update.sh (without the -u option). 

Subscribers using Rapid IdP have already received the necessary fix to protect their IdP from this issue.

For IdPs deployed behind a load balancer or other proxy server, consider whether this configuration should instead be adapted to sanitise the headers before they reach the IdP server.