|Bulletin Number: #2002001
Date: October 10, 2002
Title: LECP Security Vulnerability
Liberty Alliance Security Bulletin
The information contained in this Security Bulletin is provided “AS IS.” Liberty Alliance makes no warranties of any kind whatsoever with respect to the information contained in this Security Bulletin.
ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL LIBERTY ALLIANCE BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF LIBERTY ALLIANCE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.
A vulnerability in the Liberty-enabled Client/Proxy (LECP) Profile may allow a spurious site to interpose itself between the LECP and a legitimate service provider such that the intermediary can impersonate the user principal.
Clients and proxy software implementations of the LECP profile are vulnerable. Identity and service providers which implement the LECP profile are vulnerable. Service providers which implement the Liberty Browser Post, or Liberty WML Post, are indirectly exposed to this risk. The Liberty Browser Artifact profile is not affected by this vulnerability.
2. Mitigating Factors
The Liberty Alliance is unaware of any implementations or deployments of the Liberty-Enabled Client/Proxy Profile.
The following specifications and XSD files are affected:
4. Updated Specifications or Errata