← Back to team overview

mahara-packaging team mailing list archive

  1. mahara-packaging team
  2. Mailing list archive
  3. Message #00094

[Bug 958841] Re: Minor security update for Mahara

  Thread PreviousDate PreviousThread Next 
** Description changed:

  [Problem]
  Minor security issue in past versions of Mahara.
  
+ By default, SAML authentication instances have the "Match username
+ attribute to Remote username" setting unchecked.  This means that a user
+ logging in using single sign-on will log in as the local Mahara user
+ whose Mahara username matches their SAML username attribute.
+ 
  [Impact]
- Security issue.  Could allow for impersonation.
+ Security issue.  Could allow for impersonation.  Only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider.  Would allow administrators of one institution to control users in other institutions.
  
  [Development Fix]
  Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774).  This version was sync'd into Ubuntu precise.
- 
  
  [Stable Fix]
  lucid, maverick, and natty carry 1.2.x which is affected by this issue.  oneiric carries 1.4.0 and is also affected.  Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively.
  
  [Text Case]
- <fill me in with detailed *instructions* on how to reproduce the bug.  This will be used by people later on to verify the updated package fixes the problem.>
- 1.
- 2.
- 3.
+ 1. Set up mahara with the SAML plugin
+ 2. Set up multiple SAML instances
+ 3. Use default configuration
+ 4. Set up a remote SAML username that matches a local Mahara user
+ 5. Log on using single sign-on
  Broken Behavior:
+ In config, "Match username attribute to Remote username"  is unchecked.
+ Allows gaining control over the local Mara user account.
+ 
  Fixed Behavior:
+ "Match username attribute to Remote username"  is enabled by default.
  
  [Regression Potential]
- <fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected.
+ Unknown
  
  [Original Report]
  Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara
  
  The issue affects both 1.2.x and 1.4.x
  
   * Fix default config for sites with multiple SAML instances
     - Default configuration changed to prevent impersonation
     - https://mahara.org/interaction/forum/topic.php?id=4367

-- 
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/958841

Title:
  Minor security update for Mahara

Status in “mahara” package in Ubuntu:
  Fix Released
Status in “mahara” source package in Lucid:
  Fix Committed
Status in “mahara” source package in Maverick:
  Fix Committed
Status in “mahara” source package in Natty:
  Fix Committed
Status in “mahara” source package in Oneiric:
  Fix Committed
Status in “mahara” source package in Precise:
  Fix Released

Bug description:
  [Problem]
  Minor security issue in past versions of Mahara.

  By default, SAML authentication instances have the "Match username
  attribute to Remote username" setting unchecked.  This means that a
  user logging in using single sign-on will log in as the local Mahara
  user whose Mahara username matches their SAML username attribute.

  [Impact]
  Security issue.  Could allow for impersonation.  Only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider.  Would allow administrators of one institution to control users in other institutions.

  [Development Fix]
  Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774).  This version was sync'd into Ubuntu precise.

  [Stable Fix]
  lucid, maverick, and natty carry 1.2.x which is affected by this issue.  oneiric carries 1.4.0 and is also affected.  Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively.

  [Text Case]
  1. Set up mahara with the SAML plugin
  2. Set up multiple SAML instances
  3. Use default configuration
  4. Set up a remote SAML username that matches a local Mahara user
  5. Log on using single sign-on
  Broken Behavior:
  In config, "Match username attribute to Remote username"  is unchecked.
  Allows gaining control over the local Mara user account.

  Fixed Behavior:
  "Match username attribute to Remote username"  is enabled by default.

  [Regression Potential]
  Unknown

  [Original Report]
  Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara

  The issue affects both 1.2.x and 1.4.x

   * Fix default config for sites with multiple SAML instances
     - Default configuration changed to prevent impersonation
     - https://mahara.org/interaction/forum/topic.php?id=4367

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/958841/+subscriptions
  Thread PreviousDate PreviousThread Next