Security fixes

[CVE-2019-3878] Authentication bypass when Apache is used as a reverse proxy

If Apache is configured as a reverse proxy with mod_auth_mellon for authentication, the authentication can be bypassed by adding SAML 2.0 ECP headers to the request.

This vulnerability affects mod_auth_mellon 0.11.0 and newer.

This vulnerability is due to both mod_auth_mellon and mod_proxy registering as handlers for the requests, with the same priority. When mod_auth_mellon handles the request first, it will trigger a ECP authentication request. If mod_proxy handles it first, it will forward it to the backend server.

Which module handles it first depends on the order modules are loaded by Apache.

This vulnerability is fixes by specifically registering that the mod_auth_mellon handler should run before mod_proxy.

Thanks to Jakub Hrozek and John Dennis at RedHat for fixing this vulnerability.

[CVE-2019-3877] Redirect URL validation bypass

Version 0.14.1 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL with backslashes instead of forward slashes. Browsers silently convert backslashes to forward slashes, which allows an attacker to bypass the redirect URL validation by using %5c in the ReturnTo-parameter. E.g.:

https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/

This version fixes that issue by rejecting all URLs with backslashes.

Thanks to Eric Chamberland for discovering this vulnerability.

Bug fixes

• Fix environment variables in MellonCond
• Fix detection of AJAX requests
• Fix trailing semi-colon in Set-Cookie-header

Backwards incompatible changes

This version switches the default signature algorithm used when signing messages from rsa-sha1 to rsa-sha256. If your IdP does not allow messages to be signed with that algorithm, you need to add a setting switching back to the old algorithm:

MellonSignatureMethod rsa-sha1

Note that this only affects messages sent from mod_auth_mellon to your IdP. It does not affect authentication responses or other messages sent from your IdP to mod_auth_mellon.

New features

• Many improvements in what is logged during various errors.

• Diagnostics logging, which creates a detailed log during request processing.

• Add support for selecting which signature algorithm is used when signing messages, and switch to rsa-sha256 by default.

Bug fixes

• Fix segmentation fault in POST replay functionality on empty value.

• Fix incorrect error check for many lasso_*-functions.

• Fix case sensitive match on MellonUser attribute name.

Security fix

Fix a cross-site session transfer vulnerability. mod_auth_mellon version 0.13.0 and older failed to validate that the session specified in the user's session cookie was created for the web site the user actually accesses.

If two different web sites are hosted on the same web server, and both web sites use mod_auth_mellon for authentication, this vulnerability makes it possible for an attacker with access to one of the web sites to copy their session cookie to the other web site, and then use the same session to get access to the other web site.

Thanks to François Kooman for reporting this vulnerability.

This vulnerability has been assigned CVE-2017-6807.

Note: The fix for this vunlerability makes mod_auth_mellon validate that the cookie parameters used when creating the session match the cookie parameters that should be used when accessing the current page. If you currently use mod_auth_mellon across multiple subdomains, you must make sure that you set the MellonCookie-option to the same value on all domains.

Bug fixes

• Fix segmentation fault if a (trusted) identity provider returns a SAML 2.0 attribute without a Name.

• Fix segmentation fault if MellonPostReplay is enabled but MellonPostDirectory is not set.

Security fix

Fix a denial of service attack in the logout handler, which allows a remote attacker to crash the Apache worker process with a segmentation fault. This is caused by a null-pointer dereference when processing a malformed logout message.

New features

• Allow MellonSecureCookie to be configured to enable just one of the "httponly" of "secure" flags, instead of always enabling both flags.
• Support per-module log level with Apache 2.4.
• Allow disabling the Cache-Control HTTP response header.
• Add support for SameSite cookie parameter.

Bug fixes

• Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs respond to the probe request.
• Fix mod_auth_mellon interfering with other Apache authentication modules even when it is disabled for a path.
• Fix wrong HTTP status code being returned in some cases during user permission checks.
• Fix default POST size limit to actually be 1 MB.
• Fix error if authentication response is missing the optional Conditions-element.
• Fix AJAX requests being redirected to the IdP.
• Fix wrong content type for ECP authentication request responses.

In addition there are various fixes for errors in the documentation, as well as internal code changes that do not have any user visible effects.

Security fixes:

• [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client.
• [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data.

In addition this release contains the following new features and fixes:

• Add MellonRedirectDomains option to limit the sites that mod_auth_mellon can redirect to. This option is enabled by default.
• Add support for ECP service options in PAOS requests.
• Fix AssertionConsumerService lookup for PAOS requests.

Security fixes:

• [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client.
• [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data.

• Add SAML 2.0 ECP support.
• The MellonDecode option has been disabled. It was used to decode attributes in a Feide-specific encoding that is no longer used.
• Set max-age=0 in Cache-Control header, to ensure that all browsers verifies the data on each request.
• MellonMergeEnvVars On now accepts second optional parameter, the separator to be used instead of the default ;.
• Add option MellonEnvVarsSetCount to specify if the number of values for any attribute should also be stored in environment variable suffixed _N.
• Add option MellonEnvVarsIndexStart to specify if environment variables for multi-valued attributes should start indexing with 0 (default) or with 1.
• Bugfixes:
  • Fix error about missing authentication with DirectoryIndex in Apache 2.4.

• Make sure that we fail in the unlikely case where OpenSSL is not able to provide us with a secure session id.
• Increase the number of key-value pairs in the session to 2048.
• Add MellonMergeEnvVars-option to store multi-valued attributes in a single environment variable, separated with ';'.
• Bugfixes:
  • Fix the [MAP] option for MellonCond.
  • Fix cookie deletion for the session cookie. (Logout is not dependent on the cookie being deleted, so this only fixes the cookie showing up after the session is deleted.)

This is a security release with fixes backported from version 0.9.1.

It turned out that session overflow bugs fixes in version 0.9.0 and 0.9.1 can lead to information disclosure, where data from one session is leaked to another session. Depending on how this data is used by the web application, this may lead to data from one session being disclosed to an user in a different session. (CVE-2014-8566)

In addition to the information disclosure, this release contains some fixes for logout processing, where logout requests would crash the Apache web server. (CVE-2014-8567)