|Applies To||RSA ClearTrust 220.127.116.11 Apache Plugin|
|Issue||ClearTrust plugin does not clear the CT_REMOTE_USER from incoming HTTP request|
After a successful authentication through the ClearTrust Plugin there are two HTTP Headers set in the HTTP Client. These are CT_REMOTE_USER and CT_AUTH_MODE. The ClearTrust plugin does not override the pre-set values (for protected or authenticated cases
the values would be overwritten), which in some circumstances may be used to compromise the security of Third Party applications that rely on the presence of these headers.
When a user accessed an unprotected resource and had not authenticated to the underlying ClearTrust system, the user could "spoof" the value in CT_REMOTE_USER, CT_AUTH_MODE, or any of the set of user-defined headers that are set by ClearTrust to contain the user id. They would do this by setting the value of the header in the request.
|Resolution||The following behavior has now been set for all ClearTrust derived http headers whenever a connection is made through the Plugin:|
i) Unprotected resource, user doesn't have a SSO token - headers are set to an empty string
ii) Unprotected resource, user has a SSO token - headers are set to the values in the token
iii) Protected resource, user has a SSO token - headers are set to the value in the token.
This has been applied to version 18.104.22.168 of the Apache Plugin and above.
|Legacy Article ID||a9627|