Connect with us
X
Categories:

Technology

Passport-SAML auth bypass triggers fix of critical, upstream XMLDOM problem

Published

on

Passport-SAML auth bypass triggers fix of critical, upstream XMLDOM problem
Share this post:

A critical vulnerability arising from improper input validation has been addressed in XMLDOM, the JavaScript implementation of W3C DOM for Node.js, Rhino, and browsers.

The flawed behavior was seemingly first flagged as potentially in need of remedy in 2016. But it was only with the recent discovery of an authentication bypass in Passport-SAML, the SAML 2.0 authentication provider for Node.js library Passport, that XMLDOM maintainers tackled the root cause of the problem.

“Xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing,” an XMLDOM advisory published on November 1 explained.

Breaking the assumption

“This breaks the assumption that there is only a single root node in the tree,” it continues, and poses “a potential issue for dependents”.

The bug was assigned CVE-2022-39353 and a severity rating of CVSS 9.4 by GitHub CVE Numbering Authority, later uprated in severity to CVSS 9.8 by the NIST National Vulnerability Database.

XMLDOM is widely used, with NPM detecting 2.8 million weekly downloads (albeit caveats apply regarding the accuracy of download counts).

Kurt Boberg, a maintainer on the project, told The Daily Swig: “Any security-critical workflow that accepts partial signatures on XML and reads a child node is likely affected by this issue.

“The core problem is that you can supply two XML documents to a request (one valid, one forged) and as long as the validator accepts the legitimate one, a property read via xmldom can potentially read a node value out of the forged document.”

Passport-SAML bypass

Passport-SAML, which has 167,000 weekly NPM downloads, mishandled cryptographic signature verification because of the XMLDOM flaw. Tracked as CVE-2022-39299, the high severity Passport-SAML issue potentially enabled an attacker “to bypass SAML authentication on a website using passport-saml,” The CVE description said.

“A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.”

The bug, assigned a severity score of CVSS 8.1, was patched on October 11.

‘Worst possible outcome’

Asked what other damage an attacker might potentially cause downstream of the XMLDOM bug, Boberg said it “really depends on the expectations around the XML parsing. The aforementioned SAML issue is pretty much the worst possible outcome.

“It really hinges on the parsing application making a security decision based on XML input from the user that it expects to be signed. It’s like stapling an additional page to a notarized document, and passing it through a verification process that only checks if the first page is notarized.”

He added: “The downstream impact depends entirely on what the legitimate document would let you do.”

Path to a patch

The related GitHub bug thread began in 2016, when an XMLDOM maintainer said the issue “appears to me to be a violation of the W3C DOM Level 2 Core Specification”.

Speculating that the flaw “might be a ‘false-positive’ bug”, he suggested “there is some utility in being able to parse multiple documents in a single stream, if the API can be re-tooled just a bit”. He also described doing so “silently without issuing even so much as a warning to consumers” as “odd”.

The thread then remained dormant until the emergence of the Passport-SAML vulnerability and its root cause quickly became apparent, prompting the rapid deployment of patches within @xmldom/xmldom NPM versions 0.7.7, 0.8.4, and 0.9.0-beta.4, together with mitigations, fix details, and advice to developers to align with the specs to avoid code breakage.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Chief Oyerigha Echo Toikumoh - The Earlier The Better
Music1 month ago

[Music] Chief Oyerigha Echo Toikumoh – The Earlier The Better

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola's place at Manchester City
Sports1 month ago

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola’s place at Manchester City

Alan Shearer reckons Liverpool star is ‘not going to get better’
Sports1 month ago

Alan Shearer reckons Liverpool star is ‘not going to get better’

NECO examiners threaten nationwide protest over unpaid entitlements
News1 month ago

NECO examiners threaten nationwide protest over unpaid entitlements

Jonathan congratulates Trump on historic election win
News1 month ago

Jonathan congratulates Trump on historic election win

Peter Obi can become president in 2027 — Yunusa Tanko
News1 month ago

Peter Obi can become president in 2027 — Yunusa Tanko

Dua Lipa forced to cancel show after ‘unforeseen safety issues’
Entertainment1 month ago

Dua Lipa forced to cancel show after ‘unforeseen safety issues’

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024
Entertainment1 month ago

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024

'Phoenix Fury' bags Best Film award at the 13th edition of AFRIFF
Entertainment1 month ago

‘Phoenix Fury’ bags Best Film award at the 13th edition of AFRIFF

Vivo begins teasing new Dimensity 9400 flagships internationally
Technology1 month ago

Vivo begins teasing new Dimensity 9400 flagships internationally

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life
Technology1 month ago

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life

Manchester United players warned ‘only one is safe’ under Ruben Amorim
Sports1 month ago

Manchester United players warned ‘only one is safe’ under Ruben Amorim

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight
Sports1 month ago

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight

IG orders punishment for errant cops
News1 month ago

IG orders punishment for errant cops

Be ready to recover stolen mandate — Ighodalo tells PDP
News1 month ago

Be ready to recover stolen mandate — Ighodalo tells PDP

No part of Ogun will be ceded under my watch — Dapo Abiodun
News1 month ago

No part of Ogun will be ceded under my watch — Dapo Abiodun

Ruger calls out auto tune and hype culture in music
Entertainment1 month ago

Ruger calls out auto tune and hype culture in music

I hate to play same role repeatedly — Actress Bimbo Akintola
Entertainment1 month ago

I hate to play same role repeatedly — Actress Bimbo Akintola

Fans split on Davido, Wizkid, and Burna Boy's Grammy nominations.
Entertainment1 month ago

Fans split on Davido, Wizkid, and Burna Boy’s Grammy nominations

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung's rival iPhone 17 Air
Technology1 month ago

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung’s rival iPhone 17 Air

Realme names first smartphone to get Android 15 beta worldwide
Technology1 month ago

Realme names first smartphone to get Android 15 beta worldwide

England interim manager tipped for surprise Premier League job
Sports1 month ago

England interim manager tipped for surprise Premier League job

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam
Sports1 month ago

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam

Court jails seven for internet fraud in Kaduna
News1 month ago

Court jails seven for internet fraud in Kaduna

Edo APC criticizes Obaseki’s last-minute appointments
News1 month ago

Edo APC criticizes Obaseki’s last-minute appointments

Edo PDP announces caretaker committee
News1 month ago

Edo PDP announces caretaker committee

Tems makes history after securing 3 nominations for the 67th Grammys
Entertainment1 month ago

Tems makes history after securing 3 nominations for the 67th Grammys

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history
Entertainment1 month ago

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment1 month ago

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment1 month ago

2025 GRAMMY: Academy unveils category changes ahead of nomination event

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.