SAML Vulnerability Lets Attackers Log in as Other Users
211 views
Skip to first unread message
ljt...@gmail.com
Feb 28, 2018, 7:57:45 AM2/28/18
to SimpleSAMLphp
Based on this article, https://www.bleepingcomputer.com/news/security/saml-vulnerability-lets-attackers-log-in-as-other-users/, as a web developer using simplesamlphp for SSO, do I need to do anything? Or does this vulnerability only applies to the providers?
Jaime Perez Crespo
Feb 28, 2018, 8:00:23 AM2/28/18
to simple...@googlegroups.com
Hi,
On 28 Feb 2018, at 13:57 PM, ljt...@gmail.com wrote:
> Based on this article, https://www.bleepingcomputer.com/news/security/saml-vulnerability-lets-attackers-log-in-as-other-users/, as a web developer using simplesamlphp for SSO, do I need to do anything? Or does this vulnerability only applies to the providers?
As I just mentioned in the follow up to yesterday’s release, SimpleSAMLphp is NOT affected by this issue.
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 28 Feb 2018, at 13:57 PM, ljt...@gmail.com wrote:
> Based on this article, https://www.bleepingcomputer.com/news/security/saml-vulnerability-lets-attackers-log-in-as-other-users/, as a web developer using simplesamlphp for SSO, do I need to do anything? Or does this vulnerability only applies to the providers?
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
ljt...@gmail.com
Feb 28, 2018, 8:35:58 AM2/28/18
to SimpleSAMLphp
Thanks! I've found your post yesterday.
Chong Lor
Feb 28, 2018, 2:12:11 PM2/28/18
to SimpleSAMLphp
I know this is no a composer support group but do you have any suggestion on how to update simplesamlphp using composer? I have tried: composer update simplesamlphp/simplesamlphp and I got the following but when I tried composer info, it still shows the old version.
$ composer update simplesamlphp/simplesamlphp
Gathering patches for root package.
Removing package drupal/config_installer so that it can be re-installed and re-patched.
Deleting docroot/profiles/contrib/config_installer - deleted
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
Gathering patches for root package.
Gathering patches for dependencies. This might take a minute.
- Installing drupal/config_installer (1.5.0): Loading from cache
- Applying patches for drupal/config_installer
https://www.drupal.org/files/issues/config_installer_2729243_2.patch (Fix dependency issue https://www.drupal.org/node/2729243)
Could not apply patch! Skipping. The error was: Cannot apply patch https://www.drupal.org/files/issues/config_installer_2729243_2.patch
Package codegyre/robo is abandoned, you should avoid using it. Use consolidation/robo instead.
Generating autoload files
Removing packages services cache file:
/Users/charlie/Sites/drupalsites/vendor/drupal/console/extend.console.uninstall.services.yml
Creating packages services cache file:
/Users/charlie/Sites/drupalsites/vendor/drupal/console/extend.console.uninstall.services.yml
Thank you so much!
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/I5jNdsetV-Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Peter Schober
Feb 28, 2018, 2:45:56 PM2/28/18
to SimpleSAMLphp
* Chong Lor <ljt...@gmail.com> [2018-02-28 20:17]:
here is about the topic written in the "Subject" header of this email)
when you want to ask something completely unrelated.
Instead compose a new email to the list address. If that's already too
much effort you can't expect others to take time out of their busy day
to help you fix your problem.
-peter
> I know this is no a composer support group but do you have any
> suggestion on how to update simplesamlphp using composer?
The other skill to learn is not hi-jacking existing threads (this one
> suggestion on how to update simplesamlphp using composer?
here is about the topic written in the "Subject" header of this email)
when you want to ask something completely unrelated.
Instead compose a new email to the list address. If that's already too
much effort you can't expect others to take time out of their busy day
to help you fix your problem.
-peter
Paul Gilzow
Mar 1, 2018, 1:55:03 PM3/1/18
to SimpleSAMLphp
Is simplesamlphp a direct requirement in your root composer file, or is it a dependency of one of your other dependencies? I have it ask a requirement in my project and when I ran composer update yesterday it picked it up the update and pulled it down.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages