Details
-
Bug
-
Resolution: Won't Fix
-
High
-
None
-
2.5.1
-
None
Description
When generating an SSO token, Crowd should hash both the Remote Address and the User Agent but it seems that Crowd 2.5.1 isn't using the User-Agent for authentication when generating an SSO token using the REST API.
If one requests an SSO token using 'Firefox' as the User Agent and then tries to validate the returned SSO token with 'IE' as the User Agent, Crowd does not return any error. Examples of the two HTTP requests can be seen below:
First request : Ask Crowd to create an SSO token:
POST /crowd/rest/usermanagement/latest/session HTTP/1.1 Content-Type: application/xml <?xml version="1.0" encoding="UTF-8"?> <authentication-context> <username>homer</username> <password>password</password> <validation-factors> <validation-factor> <name>User-Agent</name> <value>Firefox</value> </validation-factor> </validation-factors> </authentication-context>
Crowd returns:
HTTP/1.1 201 Created Server: Apache-Coyote/1.1 X-Embedded-Crowd-Version: Crowd/2.5.1 X-Crowd-User-Management-Version: 1.2 Set-Cookie: JSESSIONID=EE9AA13C6188234A64CB1216E53D8AFD; Path=/crowd Cache-Control: no-cache, no-store, no-transform Location: http://localhost:8095/crowd/rest/usermanagement/latest/session/kyHw09WHXxSFHSrStseQgQ00 Content-Type: application/xml Content-Length: 366 Date: Fri, 09 Nov 2012 16:05:24 GMT Connection: close <?xml version="1.0" encoding="UTF-8" standalone="yes"?><session expand="user"><token>kyHw09WHXxSFHSrStseQgQ00</token><user name="homer"><link rel="self" href="http://localhost:8095/crowd/rest/usermanagement/latest/user?username=homer"/></user><link rel="self" href="http://localhost:8095/crowd/rest/usermanagement/latest/session/kyHw09WHXxSFHSrStseQgQ00"/></session>
Second Request : Ask Crowd to validate this token but pass a different User-Agent:
POST /crowd/rest/usermanagement/latest/session/kyHw09WHXxSFHSrStseQgQ00 HTTP/1.1 Content-Type: application/xml <?xml version="1.0" encoding="UTF-8"?> <validation-factors> <validation-factor> <name>User-Agent</name> <value>ie</value> </validation-factor> </validation-factors>
Crowd accepts the token, (despite the incorrect User Agent), which suggests that this is a serious security issue as it is no longer hashing the User Agent:
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Embedded-Crowd-Version: Crowd/2.5.1 X-Crowd-User-Management-Version: 1.2 Set-Cookie: JSESSIONID=ECF61E962CD3F857ED2E0DFAC6041961; Path=/crowd Cache-Control: no-cache, no-store, no-transform Content-Type: application/xml Content-Length: 366 Date: Fri, 09 Nov 2012 16:06:02 GMT Connection: close <?xml version="1.0" encoding="UTF-8" standalone="yes"?><session expand="user"><token>kyHw09WHXxSFHSrStseQgQ00</token><user name="homer"><link rel="self" href="http://localhost:8095/crowd/rest/usermanagement/latest/user?username=homer"/></user><link rel="self" href="http://localhost:8095/crowd/rest/usermanagement/latest/session/kyHw09WHXxSFHSrStseQgQ00"/></session>