Great to see ComponentSpace on top of things! And if anyone is particularly interested in the technical reason why it's not affected... Right down in the heart of the ComponentSpace Assertion handling, the XML parsing is, in part, offloaded to the .net XML objects (in the System.Xml namespace). The vulnerability relies on poor implementation of the retrieval of the internal text of the NameID node in the assertion. When an attacker inserts a HTML/XML comment into the node, the value of the NameID returned by the XML library can be manipulated without invalidating the signature. The good news is that XmlNode.InnerText returns a concatenation of all text nodes found within the selected element, ignoring comment nodes completely and so is not vulnerable to these attacks. :)
|