(github.blog)

312 points campuscodi | 1 comments | 15 Mar 25 19:06 UTC | HN request time: 0.284s | source

Show context

wcoenen ◴[15 Mar 25 20:46 UTC] No.43375039[source]▶

Isn't the simpler conclusion here that one should look for the signature where it is supposed to be? Instead of using an excessively general XPath like "//ds:Signature" that might find any signature in any unexpected location...

replies(2): >>43375138 #>>43375746 #

TZubiri ◴[15 Mar 25 23:06 UTC] No.43375746[source]▶

>>43375039 #

I feel most responses to vulnerabilities are so lenient, you have to throw out some baby with the bathwater, you can't surgically remove the dangerous component, you gotta chop and throw chemotherapy en masse.

If you are an IT admin with any pride, SAML is out of any future plans. The idea of SSO is suspect as a whole. Xml parsing has been hit twice in a week, avoid it in the future, anything wrong with a policy that replaces xml with json?

replies(3): >>43375854 #>>43376192 #>>43376361 #

1. tptacek ◴[15 Mar 25 23:29 UTC] No.43375854[source]▶

>>43375746 #

For an organization of any significant size (say, anything over 10 people), not deploying SSO would be malpractice. The point of SSO is to have a single point of control and a single, mandatory 2FA stack.

Obviously, if you can avoid doing SSO with SAML, you should.

↑

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials