Log forgery in migration flow (Info)

OpenConext / OpenConext-myconext

A (guest) IdP for OpenConext

https://eduid.nl/

4 stars 7 forks source link

Log forgery in migration flow (Info) #259

Closed phavekes closed 4 days ago

phavekes commented 4 days ago

This issue is imported from pivotal

It was found that the web application allows an attacker to forge entries in the log files. The ShibbolethPreAuthenticatedProcessingFilter class implements several logging statements that directly write user-input to the logs.

phavekes commented 4 days ago

Although this is not a security threat in our current environment, we could take use of a sanitised Logger. Investigate if the used package has something out-of-the-box (Okke Harsta - Feb 12, 2020)

phavekes commented 4 days ago

From the audit report: "this issue is considered as a false alert since it was not possible to trigger it. Failure of a compromise came down to the prevention of HTTP header spoofing." (Okke Harsta - Feb 16, 2020)

phavekes commented 4 days ago

Decided not to fix this (Peter Havekes - Feb 18, 2020)