000019499 - ClearTrust plugin does not clear the CT_REMOTE_USER from incoming HTTP request

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019499
Applies ToRSA ClearTrust 4.6.1.1 Apache Plugin
Sun Solaris
IssueClearTrust plugin does not clear the CT_REMOTE_USER from incoming HTTP request
After a successful authentication through the ClearTrust Plugin there are two HTTP Headers set in the HTTP Client. These are CT_REMOTE_USER and CT_AUTH_MODE.   The ClearTrust plugin does not override the pre-set values (for protected or authenticated cases
the values would be overwritten), which in some circumstances may be used to compromise the security of Third Party applications that rely on the presence of these headers.  
When a user accessed an unprotected resource and had not authenticated to the underlying ClearTrust system, the user could "spoof" the value in CT_REMOTE_USER, CT_AUTH_MODE, or any of the set of user-defined headers that are set by ClearTrust to contain the user id.  They would do this by setting the value of the header in the request.
ResolutionThe following behavior has now been set for all ClearTrust derived http headers whenever a connection is made through the Plugin:

i) Unprotected resource, user doesn't have a SSO token - headers are set to an empty string
ii) Unprotected resource, user has a SSO token - headers are set to the values in the token
iii) Protected resource, user has a SSO token - headers are set to the value in the token.

This has been applied to version 4.6.1.33 of the Apache Plugin and above.
Legacy Article IDa9627

Attachments

    Outcomes