** Description changed: [Problem] Minor security issue in past versions of Mahara. + By default, SAML authentication instances have the "Match username + attribute to Remote username" setting unchecked. This means that a user + logging in using single sign-on will log in as the local Mahara user + whose Mahara username matches their SAML username attribute. + [Impact] - Security issue. Could allow for impersonation. + Security issue. Could allow for impersonation. Only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider. Would allow administrators of one institution to control users in other institutions. [Development Fix] Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774). This version was sync'd into Ubuntu precise. - [Stable Fix] lucid, maverick, and natty carry 1.2.x which is affected by this issue. oneiric carries 1.4.0 and is also affected. Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively. [Text Case] - <fill me in with detailed *instructions* on how to reproduce the bug. This will be used by people later on to verify the updated package fixes the problem.> - 1. - 2. - 3. + 1. Set up mahara with the SAML plugin + 2. Set up multiple SAML instances + 3. Use default configuration + 4. Set up a remote SAML username that matches a local Mahara user + 5. Log on using single sign-on Broken Behavior: + In config, "Match username attribute to Remote username" is unchecked. + Allows gaining control over the local Mara user account. + Fixed Behavior: + "Match username attribute to Remote username" is enabled by default. [Regression Potential] - <fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected. + Unknown [Original Report] Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara The issue affects both 1.2.x and 1.4.x * Fix default config for sites with multiple SAML instances - Default configuration changed to prevent impersonation - https://mahara.org/interaction/forum/topic.php?id=4367
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/958841 Title: Minor security update for Mahara To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/958841/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
