Summary by meeranh
Overview
A SAML authentication bypass vulnerability was identified on scijinks.gov that allowed an unauthenticated attacker to obtain a fully authenticated Drupal administrator session in a single HTTP request. Since scijinks.gov and nesdis.noaa.gov share the same Drupal instance, both domains were affected.
Vulnerability
The SAML Assertion Consumer Service (ACS) endpoint at /saml/acs did not verify that incoming SAML responses were cryptographically signed by the trusted Identity Provider. A completely fabricated SAML response containing no digital signature was accepted and processed, allowing an attacker to impersonate any user by specifying an arbitrary NameID.
Impact
- Full Drupal administrator session obtained without any credentials
- Access to CMS admin panel including content management, user accounts, and site configuration
- Both scijinks.gov and nesdis.noaa.gov were affected
Resolution
The issue has been resolved. The ACS endpoint now correctly validates SAML response signatures and rejects unsigned assertions.