[jira] [Commented] (FEDIZ-232) 'wctx' parameter mandatory but protocol does not require

Tue, 16 Oct 2018 03:29:24 -0700 


    [ 
https://issues.apache.org/jira/browse/FEDIZ-232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16651457#comment-16651457
 ] 

Colm O hEigeartaigh commented on FEDIZ-232:
-------------------------------------------

Yes the CSRF style attacks are valid, see previous security advisories:

[http://cxf.apache.org/security-advisories.data/CVE-2017-7661.txt.asc?version=1&modificationDate=1494949364000&api=v2]

[http://cxf.apache.org/security-advisories.data/CVE-2017-12631.txt.asc?version=1&modificationDate=1512037276000&api=v2]

If the application doesn't check if the received wctx parameter matches one it 
sent, then it's open to a malicious third party sending it a valid token 
response for itself, and so setting up the application with the incorrect roles.

I am OK with setting a flag to disable WCTX validation though, so long as it's 
enabled by default.

 

> 'wctx' parameter mandatory but protocol does not require
> --------------------------------------------------------
>
>                 Key: FEDIZ-232
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-232
>             Project: CXF-Fediz
>          Issue Type: Bug
>            Reporter: Christian Fischer
>            Priority: Major
>
> For logins which are not initiated by a valid session on the RP side the user 
> cannot be authenticated because the wctx parameter is missing or has the 
> wrong value.
> There are at least two scenarios in which this causes a unwanted behaviour of 
> the system.
>  * First is if the IDP/login page is bookmarked and returns only later after 
> the session on the RP is timed out. 
>  * Second is something similar to a IDP initiated login flow. It's not in the 
> WS federation protocol specification but according to our tests fediz could 
> easily allow that if the 'wctx' check is removed. 
> In the protocol specification the 'wctx' parameter is also only optional, 
> where fediz expects it to be always present. There is a comment with respect 
> to CSRF prevention but our security team didn't see the case for this since 
> there is no passive way of authentication is used. In fact it's the actual 
> authentication request that is supposed to be protected, but we don't see the 
> need.
>  
> One option (if the CSRF case is valid) would be to at least disable the 
> 'wctx' state validation by setting a flag.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to