search

vivekrajenderan / simplesamlphp

Automatically exported from code.google.com/p/simplesamlphp
Other
0 stars 0 forks source link

There is a serious security issue with the Drupal integration in simplesamlphp #590

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
There is a serious security issue with the Drupal integration in simplesamlphp.
The function "getUser()" which returns the attributes for the current user 
picks the Drupal User ID "uid" from a Cookie which obviously passes through the 
client machine. There is nothing stopping a suitable engineered client from 
changing the uid in the Cookie to be any user. Thus the client could acquire 
single sign on credentials for any Drupal user whatsoever by manipulating the 
Cookie so that when a single sign on transaction is started the client machine 
gets logged in to the requesting server as that other user rather that as the 
currently logged in Drupal user.

There is a very straightforward alternative which is to fetch the credentials 
for the currently logged in Drupal user in 
simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php ...
Pseudo code...
global $user;
...
$drupaluid = $user->uid;
...
$drupaluser = user_load($drupaluid);

I have also added "chdir(DRUPAL_ROOT)" in two places as, at least in Drupal 6, 
Drupal generates errors if it is called with the wrong working directory. 
"chdir($a)" changes back the working directory after the call.

The code to fix the above issues is in the attached new version of 
simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php and, as an 
alternative, a patch "External.php.patch" to apply the change. 

Alan Barrett

Original issue reported on code.google.com by alanabar...@gmail.com on 4 Nov 2013 at 3:52

Attachments:

GoogleCodeExporter commented 9 years ago 
That's a serious issue indeed. It seems drupalauth is not part of the 
simplesamlphp default distribution, though, but maintained separately: 
http://code.google.com/p/drupalauth/
So your report is probably on topic there.

Original comment by thijs@kinkhorst.com on 4 Nov 2013 at 4:19

GoogleCodeExporter commented 9 years ago 
I have reported the issue to http://code.google.com/p/drupalauth/ as suggested.

Alan.

Original comment by alanabar...@gmail.com on 4 Nov 2013 at 4:40

GoogleCodeExporter commented 9 years ago 
http://code.google.com/p/drupalauth/issues/detail?id=9

Original comment by thijs@kinkhorst.com on 5 Nov 2013 at 8:46

GoogleCodeExporter commented 9 years ago

Original comment by jaim...@gmail.com on 6 Nov 2013 at 10:14