Forums, Documentation & Knowledge Base - ComponentSpace

Vulnerability Note VU#475445

By ComponentSpace - 2/27/2018

Vulnerability Note VU#475445
Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal
ComponentSpace can confirm that no versions of its SAML products are affected by this vulnerability.
No action is required.

By ComponentSpace - 2/28/2018

Hi Neil
That's exactly right. Just to elaborate a little, suppose the SAML assertion included:
An attacker could manipulate this by adding an XML comment.
For example:
<NameID>test@component<!-- this is a comment --></NameID>
The addition of the comment doesn't affect the signature verification as the canonicalization removes the comment.
So, now the XML consists of an element with three child nodes – text, comment and text.
Some libraries simply take the first text node (ie test@component)
We concatenate all the text nodes ( by calling the XmlNode.InnerText property.