Bug 47527 - XML signature HMAC truncation authentication bypass
Summary: XML signature HMAC truncation authentication bypass
Status: CLOSED FIXED
Alias: None
Product: Security - Now in JIRA
Classification: Unclassified
Component: C++ Signature (show other bugs)
Version: C++ 1.5.0
Hardware: All All
: P1 blocker
Target Milestone: ---
Assignee: XML Security Developers Mailing List
URL: http://www.kb.cert.org/vuls/id/466161
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-14 11:59 UTC by Scott Cantor
Modified: 2009-07-21 07:39 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Scott Cantor 2009-07-14 11:59:37 UTC 
Apache XML Security (C++) is affected by the vulnerability published in US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more information. This bug can allow an attacker to bypass authentication by inserting/modifying a small HMAC truncation length parameter in the XML Signature HMAC based SignatureMethod algorithms.
Comment 1 Scott Cantor 2009-07-14 12:04:35 UTC 
Fix in svn, will be released in 1.5.1.