<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Inconsolata;">
<p><span style="font-family: Arial, Helvetica, sans-serif;">Sorry Justin, I understand the concept of open source, but even in that case, if somebody needs to actually understand a security issue in order to report it, I think that puts a high bar for people
to actually report security problems. Anybody that brings up a security issue should be taken seriously. I actually feel that Zhanna went above and beyond because of concern. </span></p>
<p><br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0">
<div style="font-size:13px; font-family:Tahoma">
<div class="BodyFragment"><font size="2">
<div class="PlainText">Felipe Polo-Wood<br>
Sr. Manager<br>
Clinical Applications Technical Services</div>
<div class="PlainText"><span>Office: <span id="gc-number-112" class="gc-cs-link" title="Call with Google Voice">
+1.919.668.2268</span></span><br>
<span>Mobile: <span id="gc-number-113" class="gc-cs-link" title="Call with Google Voice">
+1.919.741.4213</span></span><br>
</div>
</font></div>
</div>
</div>
</div>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> mitreid-connect-bounces@mit.edu <mitreid-connect-bounces@mit.edu> on behalf of Justin Richer <jricher@mit.edu><br>
<b>Sent:</b> Friday, August 21, 2015 11:02 AM<br>
<b>To:</b> Zhanna Tsitkov<br>
<b>Cc:</b> mitreid-connect@mit.edu<br>
<b>Subject:</b> Re: [mitreid-connect] protecting authorize endpoint</font>
<div> </div>
</div>
<div>If you had actually understood the issue enough to explain it thoroughly and didn’t expect other people to do the leg work for your investigation, then I agree that we could have found this much sooner.
<div class=""><br class="">
</div>
<div class="">Nobody forced you to bring it to a public list.</div>
<div class=""><br class="">
</div>
<div class="">Thank you for your contribution,</div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 21, 2015, at 10:44 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="" style="word-wrap:break-word">I am glad that we are finally on the same page with this issue. It could have happened a couple of emails before if you would inspect the issue instead of sending me to reading Spring documentation. It that case
I would not be forced to bring it to the public list first.
<div class="">Thanks,</div>
<div class="">Zhanna<br class="">
<div class=""><br class="">
<div class="">
<div class="">
<div class="">On Aug 21, 2015, at 10:21 AM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div class="" style="word-wrap:break-word">I’ve been digging into this for the past half hour with all kinds of different combinations. On further investigation, it does look like the system can be coerced to give a token to a valid user without ROLE_USER.
The authorization endpoint is protected, and tokens still cannot be generated without a valid login. The default implementation of MITREid Connect only uses ROLE_USER and ROLE_ADMIN for user accounts, so this is a bit of a moot point for both the default and
the general case. This could be problematic for the new UMA server which uses ROLE_EXTERNAL_USER, but there’s still no chance of accessing local identity data or impersonating another user. Non-whitelisted sites are still bounced through the approval page,
which does require ROLE_USER and mitigates this issue.
<div class=""><br class="">
</div>
<div class="">So to summarize, if your system has user accounts with a role other than ROLE_USER (most don’t) and if you have whitelisted sites, then it’s possible to get a token for the non-ROLE_USER account on a whitelisted site. To tighten security and prevent
unexpected behavior, we’ve patched the configuration to account for this, filed (and patched) in this issue:</div>
<div class=""><br class="">
</div>
<div class=""> <a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/892" class="">
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/892</a></div>
<div class=""><br class="">
</div>
<div class="">The fix is simple, just add this line to the main <security:http> block in user-context.xml or equivalent:</div>
<div class=""><br class="">
</div>
<div class="">
<div class="" style="margin:0px; font-size:11px; font-family:Monaco; color:rgb(57,51,255)">
<span class="" style=""><span class="Apple-tab-span" style="white-space:pre"></span></span><span class="" style="color:#009193"><</span><span class="" style="color:#4e9192">security:intercept-url</span><span class="" style="">
</span><span class="" style="color:#932192">pattern</span><span class="" style="">=</span>"/authorize"<span class="" style="">
</span><span class="" style="color:#932192">access</span><span class="" style="">=</span>"hasRole('ROLE_USER')"<span class="" style="">
</span><span class="" style="color:#009193">/></span></div>
</div>
<div class=""><span class="" style="color:#009193"><br class="">
</span></div>
<div class=""><br class="">
</div>
<div class="">Thank you for looking into this matter, though in the future if you really believe it to be a security issue that would affect in-production systems, it’s considered bad form to disclose your findings on a public list first.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin<br class="">
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 21, 2015, at 9:43 AM, Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="" style="word-wrap:break-word">I am unable to replicate the exploit. Even when the client has been whitelisted, when going to the authorization endpoint, I am prompted to log in. I am unable to generate a token from an unauthenticated user, and
so I don’t believe this is a security issue.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 21, 2015, at 9:30 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="" style="word-wrap:break-word"><font color="#232323" class="">Justin,</font>
<div class=""><font color="#232323" class="">While debugging workflow related to authorization code request </font><span class="" style="color:rgb(35,35,35)">I found that authorization EP provided by Spring Security OAuth2 (</span><span class="" style="color:rgb(35,35,35)">org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint)
</span><font color="#232323" class="">namespace is not protected as it’s supposed. I was able to enter this EP without any authentication. </font><span class="" style="color:rgb(35,35,35)">Section "</span><span class="" style="color:rgb(35,35,35); line-height:1.43">Configuring
the Endpoint URL“ of </span><span class="" style="color:rgb(35,35,35); line-height:25px">“</span><font color="#232323" class=""><span class="" style="line-height:1.43">OAuth 2 Developer Guide</span><span class="" style="line-height:25px">”</span><span class="" style="line-height:1.43"> states
</span></font><font color="#232323" class="">(See <a href="https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md" class="">https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md</a>)</font><span class="" style="color:rgb(35,35,35)">:
“</span><span class="" style="color:rgb(35,35,35); background-color:rgb(255,255,255); line-height:25px">N.B.</span><span class="" style="color:rgb(35,35,35); background-color:rgb(255,255,255); line-height:25px"> </span><span class="" style="color:rgb(35,35,35)">T</span><span class="" style="color:rgb(35,35,35); line-height:25px; background-color:rgb(255,255,255)">he
Authorization endpoint </span><code class="" style="color:rgb(35,35,35); padding:0.2em 0px; margin:0px; border-top-left-radius:3px; border-top-right-radius:3px; border-bottom-right-radius:3px; border-bottom-left-radius:3px">/oauth/authorize</code><span class="" style="color:rgb(35,35,35); line-height:25px; background-color:rgb(255,255,255)"> (or
its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users.</span><span class="" style="color:rgb(35,35,35); line-height:25px">“. The example provided in the document implies that the endpoint must
be protected from outside by the Spring Security framework.</span></div>
<div class="">
<div class=""><span class="" style="color:rgb(35,35,35); line-height:25px; background-color:rgb(255,255,255)">There is some sort of protection </span><span class="" style="color:rgb(35,35,35); line-height:25px">within the endpoint itself, but it certainly does
not require ROLE_USER authority as you suggested previously. I was able to pass internal security check using different role. </span></div>
<div class=""><span class="" style="color:rgb(35,35,35); line-height:25px">On the other hand, the other OAuth2 endpoint responsible for user approval process </span><span class="" style="color:rgb(35,35,35)">"/oauth/confirm_access” is protected as expected. </span></div>
<div class=""><font color="#232323" class="">Thus, this endpoint mitigate the lack of proper security for authorize endpoint. But, it seems to me that for white-listed clients it does not matter. </font></div>
<div class=""><font color="#232323" class=""><br class="">
</font></div>
<div class=""><font color="#232323" class="">In my opinion it is a security issue of MitreID Connect.</font></div>
<div class=""><br class="">
</div>
<div class=""><span class="" style="color:rgb(35,35,35)">Thanks,</span></div>
<div class=""><font color="#232323" class="">Zhanna</font></div>
<div class=""><br class="">
</div>
<div class="">
<div class="">On Aug 20, 2015, at 4:48 PM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div class="" style="word-wrap:break-word">I suggest reading the documentation for Spring Security and Spring Security OAuth.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 10:21 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="" title="mailto:tsitkova@mit.edu
Cmd+Click or tap to follow the link">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="" style="word-wrap:break-word">ok. Sounds good. Can you please point to a particular place where this is implemented.
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Zhanna<br class="">
<div class=""><br class="">
<div class="">
<div class="">On Aug 20, 2015, at 10:14 AM, Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div class="" style="word-wrap:break-word">The rest of Spring Security, which is configured throughout the code, outside the XML. Specifically, the authorization endpoint requires ROLE_USER to access.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 10:04 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="" style="word-wrap:break-word">In this block access intercept is set to permitAll: <span class="" style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)"><</span><span class="pl-ent" style="color:rgb(99,163,92); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">security</span><span class="pl-ent" style="color:rgb(99,163,92); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">:</span><span class="pl-ent" style="color:rgb(99,163,92); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">intercept-url</span><span class="" style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">
</span><span class="pl-e" style="color:rgb(121,93,163); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">pattern</span><span class="" style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">=</span><span class="pl-s" style="color:rgb(24,54,145); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)"><span class="pl-pds" style="">"</span>/**<span class="pl-pds" style="">"</span></span><span class="" style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">
</span><span class="pl-e" style="color:rgb(121,93,163); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">access</span><span class="" style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">=</span><span class="pl-s" style="color:rgb(24,54,145); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)"><span class="pl-pds" style="">"</span>permitAll<span class="pl-pds" style="">"</span></span><span class="" style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; line-height:16px; white-space:pre; background-color:rgb(255,255,255)">
/></span>
<div class="">What mechanism is used to protect this EP? </div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Zhanna</div>
<div class=""><br class="">
<div class="">
<div class="">
<div class="">On Aug 20, 2015, at 9:47 AM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div class="" style="word-wrap:break-word">As it says in the paragraph of documentation that you quoted below, it’s protected the same way that the rest of the UI is protected. This is handled in the main <security:http> block in user-context.xml.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 9:45 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="" style="word-wrap:break-word"><font color="#232323" class="">Hi,</font>
<div class=""><font color="#232323" class="">According to the documentation for <span class="" style="background-color:rgb(255,255,255); line-height:18px; white-space:pre">configure method of
</span> <span class="pl-en" style="line-height:18px; white-space:pre; background-color:rgb(255,255,255)">AuthorizationServerConfigurer
</span><span class="pl-k" style="line-height:18px; white-space:pre; background-color:rgb(255,255,255)">interface</span><span class="" style="line-height:18px; white-space:pre; background-color:rgb(255,255,255)">
</span></font></div>
<div class=""><span class="" style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18px; white-space:pre; background-color:rgb(255,255,255)">"</span></div>
<br class="">
<table class="tab-size highlight js-file-line-container" style="border-collapse:collapse; border-spacing:0px; tab-size:8; color:rgb(51,51,51); font-family:Helvetica,arial,nimbussansl,liberationsans,freesans,clean,sans-serif,'Segoe UI Emoji','Segoe UI Symbol'; font-size:13px; line-height:18px; background-color:rgb(255,255,255); position:static; z-index:auto">
<tbody class="" style="">
<tr class="" style="">
<td id="LC32" class="js-file-line blob-code-inner blob-code" style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre; overflow:visible; word-wrap:normal">
<br class="">
</td>
</tr>
<tr class="" style="">
<td id="L33" class="blob-num js-line-number" style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td id="LC33" class="js-file-line blob-code-inner blob-code" style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre; overflow:visible; word-wrap:normal">
<span class="pl-c" style="color:rgb(150,152,150)">* The /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be</span></td>
</tr>
<tr class="" style="">
<td id="L34" class="blob-num js-line-number" style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td id="LC34" class="js-file-line blob-code-inner blob-code" style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre; overflow:visible; word-wrap:normal">
<span class="pl-c" style="color:rgb(150,152,150)">* secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common</span></td>
</tr>
<tr class="" style="">
<td id="L35" class="blob-num js-line-number" style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td id="LC35" class="js-file-line blob-code-inner blob-code" style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre; overflow:visible; word-wrap:normal">
<span class="pl-c" style="color:rgb(150,152,150)">* requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a</span></td>
</tr>
<tr class="" style="">
<td id="L36" class="blob-num js-line-number" style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td id="LC36" class="js-file-line blob-code-inner blob-code" style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre; overflow:visible; word-wrap:normal">
<span class="pl-c" style="color:rgb(150,152,150)">* basic server up and running.</span></td>
</tr>
</tbody>
</table>
<div class="">"</div>
<div class="">In MitreID Connect it looks like this EP is not explicitly protected. How it is done? </div>
<div class="">Thanks,</div>
<div class="">Zhanna</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</body>
</html>