Shibboleth 2 XML Injection

Posted by deepcore on January 16, 2018 – 8:04 am

RedTeam Pentesting discovered that the shibd service of Shibboleth 2 does not extract SAML attribute values in a robust manner. By inserting XML entities into a SAML response, attackers may truncate attribute values without breaking the document’s signature. This might lead to a complete bypass of authorisation mechanisms. Versions prior to 2.6.1 are affected.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« http://www.nonsanga.go.th/web1/file_editor/SeRaVo.txt D-Link DNS-325 ShareCenter 1.05B03 Shell Upload / Command Injection »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Shibboleth 2 XML Injection

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL