Shibboleth Scan Findings from OWASP Scan Tool
Bowers, Peter S
Peter.Bowers at umassmed.edu
Wed Nov 24 14:02:23 UTC 2021
We continue to see scan findings come back from our security department regarding Shibboleth. The scan results included the results below. We are currently on Shibboleth SP 184.108.40.206 release: https://shibboleth.net/downloads/service-provider/latest/ . Has anyone else seen these results?
Medium (Medium) Buffer Overflow
Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way.
Attack POST https://profiles.umassmed.edu/Shibboleth.sso/SAML2/POST HTTP/1.1 Connection: keep-alive Content-Length: 2200 Cache-Control: max-age=0 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://sm-tst11.ucollaborate.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept:
High (Medium) SQL Injection
SQL injection may be possible.
Attack ss:mem:714a0f4dcc377cbf4da5711788e1a5fafbaf4210e55721ab1ed425e639022676 AND 1=1 --
Do not trust client side input, even if there is client side validation in place.
In general, type check all data on the server side.
If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'
If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.
If database Stored Procedures can be used, use them.
Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!
Do not create dynamic SQL queries using simple string concatenation.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users