[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: AJP, headers, security
From: "Cantor, Scott" <cantor.2 () osu ! edu>
Date: 2015-06-29 20:19:10
Message-ID: CE32EF6A-9C92-48C3-8023-12A13A5FDA57 () osu ! edu
[Download RAW message or body]
On 6/29/15, 3:34 PM, "users on behalf of Philip Durbin" <users-bounces@shibboleth.net \
on behalf of philip_durbin@harvard.edu> wrote:
>
> 1. Am I right in thinking that to avoid using AJP I have to set
> "ShibUseHeaders" to "On"?
Yes.
> 2. Can anyone provide any guidance in how I could try to hack into my
> application when "ShibUseHeaders On" is enabled?
Trivially, if you can access it directly. Try the Modify Headers add-on for Firefox. \
If you can't access it directly, then it is only vulnerable if and when the SP \
springs a leak or something happens configuration-wise to change which headers the SP \
is managing that doesn't line up with what the application is reading.
Also depends how the headers are being propagated. Explicit propagation via Apache \
mod_headers is better/safer than connectors that auto-forward all headers such as \
WebLogic's module does.
> I've tried to summarize why we are trying to avoid using AJP at
> https://github.com/IQSS/dataverse/issues/2180#issuecomment-116801203
I've never heard of any issue like that, but I guess anything's possible.
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic