An Apache module with a simple SAML 2.0 service provider
If Apache is configured as a reverse proxy with mod_auth_mellon for authentication, the authentication can be bypassed by adding SAML 2.0 ECP headers to the request.
This vulnerability affects mod_auth_mellon 0.11.0 and newer.
This vulnerability is due to both mod_auth_mellon and mod_proxy registering as handlers for the requests, with the same priority. When mod_auth_mellon handles the request first, it will trigger a ECP authentication request. If mod_proxy handles it first, it will forward it to the backend server.
Which module handles it first depends on the order modules are loaded by Apache.
This vulnerability is fixes by specifically registering that the mod_auth_mellon handler should run before mod_proxy.
Thanks to Jakub Hrozek and John Dennis at RedHat for fixing this vulnerability.
Version 0.14.1 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL with backslashes instead of forward slashes. Browsers silently convert backslashes to forward slashes, which allows an attacker to bypass the redirect URL validation by using %5c
in the ReturnTo-parameter. E.g.:
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
This version fixes that issue by rejecting all URLs with backslashes.
Thanks to Eric Chamberland for discovering this vulnerability.
MellonCond
Set-Cookie
-headerThis version switches the default signature algorithm used when signing messages from rsa-sha1 to rsa-sha256. If your IdP does not allow messages to be signed with that algorithm, you need to add a setting switching back to the old algorithm:
MellonSignatureMethod rsa-sha1
Note that this only affects messages sent from mod_auth_mellon to your IdP. It does not affect authentication responses or other messages sent from your IdP to mod_auth_mellon.
Many improvements in what is logged during various errors.
Diagnostics logging, which creates a detailed log during request processing.
Add support for selecting which signature algorithm is used when signing messages, and switch to rsa-sha256 by default.
Fix segmentation fault in POST replay functionality on empty value.
Fix incorrect error check for many lasso_*
-functions.
Fix case sensitive match on MellonUser attribute name.
Fix a cross-site session transfer vulnerability. mod_auth_mellon version 0.13.0 and older failed to validate that the session specified in the user's session cookie was created for the web site the user actually accesses.
If two different web sites are hosted on the same web server, and both web sites use mod_auth_mellon for authentication, this vulnerability makes it possible for an attacker with access to one of the web sites to copy their session cookie to the other web site, and then use the same session to get access to the other web site.
Thanks to François Kooman for reporting this vulnerability.
This vulnerability has been assigned CVE-2017-6807.
Note: The fix for this vunlerability makes mod_auth_mellon validate that the cookie parameters used when creating the session match the cookie parameters that should be used when accessing the current page. If you currently use mod_auth_mellon across multiple subdomains, you must make sure that you set the MellonCookie
-option to the same value on all domains.
Fix segmentation fault if a (trusted) identity provider returns a SAML 2.0 attribute without a Name.
Fix segmentation fault if MellonPostReplay
is enabled but MellonPostDirectory
is not set.
Fix a denial of service attack in the logout handler, which allows a remote attacker to crash the Apache worker process with a segmentation fault. This is caused by a null-pointer dereference when processing a malformed logout message.
In addition there are various fixes for errors in the documentation, as well as internal code changes that do not have any user visible effects.
Security fixes:
In addition this release contains the following new features and fixes:
Security fixes:
MellonDecode
option has been disabled. It was used to decode attributes in a Feide-specific encoding that is no longer used.max-age=0
in Cache-Control
header, to ensure that all browsers verifies the data on each request.;
.MellonEnvVarsSetCount
to specify if the number of values for any attribute should also be stored in environment variable suffixed _N
.MellonEnvVarsIndexStart
to specify if environment variables for multi-valued attributes should start indexing with 0 (default) or with 1.DirectoryIndex
in Apache 2.4.This is a security release with fixes backported from version 0.9.1.
It turned out that session overflow bugs fixes in version 0.9.0 and 0.9.1 can lead to information disclosure, where data from one session is leaked to another session. Depending on how this data is used by the web application, this may lead to data from one session being disclosed to an user in a different session. (CVE-2014-8566)
In addition to the information disclosure, this release contains some fixes for logout processing, where logout requests would crash the Apache web server. (CVE-2014-8567)