CXRF attack and Shib SP
beall at usc.edu
Tue Apr 8 12:42:44 EDT 2014
Nothing was detected regarding the Shib SP component of course, it was the application which was found to be vulnerable. Management indicated on their response that something could be done about this with shibboleth and so the task was punted over to my director. I'll just have to punt it right back…
On Apr 8, 2014, at 7:45 AM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
> On 4/8/14, 10:36 AM, "Russell Beall" <beall at usc.edu> wrote:
>> Does anyone on this list have any shib configuration that can block CXRF
>> so that a change to the app could be avoided?
> I don't know for certain what was detected, but the short answer is that
> IdP-initiated SSO is in and of itself an example of CXRF, and the SP
> doesn't currently contain options to block it.
> -- Scott
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users