[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: AJP, headers, security
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2015-06-29 20:19:10
Message-ID: CE32EF6A-9C92-48C3-8023-12A13A5FDA57 () osu ! edu
[Download RAW message or body]

On 6/29/15, 3:34 PM, "users on behalf of Philip Durbin" <users-bounces@shibboleth.net \
on behalf of philip_durbin@harvard.edu> wrote:
> 
> 1. Am I right in thinking that to avoid using AJP I have to set
> "ShibUseHeaders" to "On"?

Yes.

> 2. Can anyone provide any guidance in how I could try to hack into my
> application when "ShibUseHeaders On" is enabled?

Trivially, if you can access it directly. Try the Modify Headers add-on for Firefox. \
If you can't access it directly, then it is only vulnerable if and when the SP \
springs a leak or something happens configuration-wise to change which headers the SP \
is managing that doesn't line up with what the application is reading.

Also depends how the headers are being propagated. Explicit propagation via Apache \
mod_headers is better/safer than connectors that auto-forward all headers such as \
WebLogic's module does.

> I've tried to summarize why we are trying to avoid using AJP at
> https://github.com/IQSS/dataverse/issues/2180#issuecomment-116801203

I've never heard of any issue like that, but I guess anything's possible.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]