Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to
Cross-site Request Attack
=======================================================

Shibboleth IdP 2.0 includes a login handler that accepts username and
passwords and authenticates the user against systems such as LDAP or
Kerberos domains. This login handler is vulnerable to a cross-site
request attack.  Such attacks could allow the attacker to intercept
username/passwords or steal active sessions.

Affected Systems
===========
Shibboleth IdP 2.0 deployments that use the UsernamePassword login handler.

A deployment is using the UsernamePassword login handler if, in the
handler.xml, there is an uncommented <LoginHandler> of type 'UsernamePassword'.

Addressing the Issue
=============
All affected deployment should immediately upgrade to Shibboleth IdP 2.1

Credits
=====
Celeste Copeland, from SAS, for finding the bug.

URL for this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20081103.txt