Prevent SSO fixation attacks against WebGUI by modifying Operation/SSO to log the user in as the user with a different session, and to require a flag in the config file to enable it. This feature will be removed in WebGUI 8. Fixes bug #12004.

docs/changelog/7.x.x.txt

@@ -27,6 +27,7 @@
  - fixed #11976: Use Container URL in search gives user Permission Denied
  - fixed #11985: Search.pl should warn on bad assets
  - fixed #12008: Activity CleanLoginHistory is too slow
+ - fixed #12004: SSO operation vulnerable to session fixation attacks
 
 7.10.6
  - fixed #11974: Toolbar icons unclickable in Webkit using HTML5

docs/upgrades/upgrade_7.10.6-7.10.7.pl

@@ -33,6 +33,7 @@ my $session = start(); # this line required
 # upgrade functions go here
 addEmailIndexToProfile( $session );
 addIndecesToUserLoginLog($session);
+addSSOOptionToConfigs($session);
 
 finish($session); # this line required
 
@@ -46,6 +47,15 @@ finish($session); # this line required
 #    print "DONE!\n" unless $quiet;
 #}
 
+#----------------------------------------------------------------------------
+# Add an index to the userProfileData table for email lookups
+sub addSSOOptionToConfigs {
+    my $session = shift;
+    print "\tAdding SSO flag to config file to enable the feature... " unless $quiet;
+    $session->config->set('enableSimpleSSO', 0);
+    print "DONE!\n" unless $quiet;
+}
+
 #----------------------------------------------------------------------------
 # Add an index to the userProfileData table for email lookups
 sub addEmailIndexToProfile {