-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0952
               Shibboleth Service Provider Security Advisory
                               18 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth SP
Publisher:         Shibboleth
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Provide Misleading Information -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://shibboleth.net/community/advisories/secadv_20210317.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [17 March 2021]

An updated version of the Service Provider software is available
which fixes a phishing vulnerability.

Template generation allows external parameters to override placeholders
======================================================================
The SP includes a primitive template engine used to render error pages
and various other status or transition pages, and it supports a syntax
for embedding placeholders that are replaced by internally supplied
values or configuration settings.

For reasons that are unclear in the code history, it was extended to
allow replacement via query parameters also, though this is not a
typical need. Because of this feature, it's possible to cause the SP
to display some templates containing values supplied externally by
URL manipulation.

Though the values are encoded to prevent script injection, the content
nevertheless appears to come from the server and so would be interpreted
as trustworthy, allowing email addresses, logos and style sheets, or
support URLs to be manipulated by an attacker.

All platforms are impacted by this issue.


Recommendations
===============
Update to V3.2.1 or later of the Service Provider software, which
is now available.

The update adds a new <Errors> setting to the configuration called
externalParameters, which defaults to false. When false, support for
this "feature" is disabled. In the unlikely event that a valid need
for this exists, the setting can be enabled temporarily to maintain
function until the use case requiring it is addressed in some other
way.

In the event that an update is not possible, reducing or eliminating
some of the more sensitive template replacement values with static
values in the templates may decrease the impact.


Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
d1dbebfadc1bdb824fea63843c4c38fa69e54379


Credits
=======
Toni Huttunen, Fraktal Oy


History
=======
Edited to add credit, and a bit more discussion of style sheet risk
and workarounds.

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210317.txt

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmBSD+MACgkQN4uEVAIn
eWJQtBAAp3xxDvDxiQ3bNw+vwJmEOVjJMlwLjBQPmYvV09Pu593xuQj4RWLbZRgK
lZlxHzvXb6dg+bHNl799uCFhcWe8NExB5GnTQPR8/JG1OwgJ0WogezpMYAAvKjkA
LXaDsz7u4DDQ4OBYemkMx3W+0CHhYPw+TLz9rHN+rAKOEGzPLWDT/cKJ75ps19/v
hnQKZ7i7mQobh61zAe5rpi+ziWmDqhzFv4uBOwbuY02UYZQm6+D3BRqAf62Cjnyh
Z/nuZ6Z/5BxitDZBPPSreSl7sMHYzI83RDZGHWgEDjHKZdpYSXpUM3vntuC1pdaO
r4izd97H7nptnuznslu1S0NfkeZlWF3XaaMa8ZrCvMvC62MVK+WvOgFZxE5wmeDZ
3f9Eei//LTE4+B1rQPU99wNbgXdelfXWKkN6hHIXcSlfqG4miAONA86U39JuNovy
S66o9uQG3y55Qp9YcGAca4/9azmr8xQlcKTPFfp2tJrvCwmK3yu0TPbeirPpE9SN
eJhl3/cCenOyN9pMZOZ9MqeIPdlkJ1Qwcd1xs/Jyzqo/LTsvnzVTzaCx0lc6qy/Z
ld3Amkcpo/K2NajWjFVvwx72Yj4Y3DCUvlDrQcNM8Oc2Sv195EDJpXIW8ynqB9aZ
RJUrsmhKRcQKMbfGlHAToMREruW1i3jH1twqS/IOxe7Z4jg5u3A=
=tv1A
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYFKtIeNLKJtyKPYoAQiKrQ/+Ijzytw+5FcbGH8r3BAVtcBeUTcrFQid5
FJgpOZwmT6CquxPlKq8ZrE3NF70JpXysGquTpd4+OIgV98CSuWYs2O1mkX51zSDm
iMiLt6WhFdfwCA0t7UlWF+3pcxx5oUshtH8OeWq46Y4H25nch+Z7wJhok3qbPE2U
O9sC+gxcUWeUA7DiEaC3V0MlamOdynRcp6pdAlFh07+cuPzuMz5ivqlvmNYGt8JO
CqNc2FfBxiBrX+P/x5bNEwFiS4L0KmHwdAG1Xi8o1gvrvJW/nQ2R91x0L7wx/VmD
eei9KfFGlTv58F4wdW1nt+0gf5wyNTAVuCvUjMv2P7L2BGfgnhJwwTQJ17TW5ceC
HYolhlXOmn92Ayya+JfemI0Xf1Nlxj7rrPehfvHHkGiZzGQXZPDZD9Z7/TN7VRr3
ULXW7wXZ6Urb3P8oVGB9a6Lrlpg09FuxcWHGnjmYZgxs5E/2H23vdHrarSg1kB+5
TXXybT+jz85I7ioeQye5NeTh8uYxks69xYriKbFOgB9/b82qY3AQZmWogGmlIQe+
AiQWpdiLtZf+1j2YmJXYc6NKwiUI3MwJtcihiKbrY2rDEtE/ztUkx/HwfIZprmeE
45JF8Q2XWsReDRREySaiL4qmT9Deqf/wk+fgOe/Umshx0t0zYtegqkuCLAwTtdK9
AwFyLRsFdSk=
=GKME
-----END PGP SIGNATURE-----