Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12ODU4LTkyMmYtZmo5ds4AA8jA
SimpleSAMLphp Link Injection vulnerability
Background
Several scripts part of SimpleSAMLphp display a web page with links obtained from the request parameters. This allows us to enhance usability, as the users are presented with links they can follow after completing a certain action, like logging out.
Description
The following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on:
- www/logout.php
- modules/core/www/no_cookie.php
The issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the link_href and retryURL HTTP parameters, respectively. The issue was resolved by including a verification of the URLs received in the request against a white list of websites specified in the trusted.url.domains configuration option.
Affected versions
All SimpleSAMLphp versions prior to 1.14.4.
Impact
A remote attacker could craft a link pointing to a trusted website running SimpleSAMLphp, including a parameter pointing to a malicious website, and try to fool the victim into visiting that website by clicking on a link in the page presented by SimpleSAMLphp.
Permalink: https://github.com/advisories/GHSA-v858-922f-fj9vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ODU4LTkyMmYtZmo5ds4AA8jA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-v858-922f-fj9v
References:
- https://github.com/simplesamlphp/simplesamlphp/commit/b1af4e47c81bca2bee633b3f84f4fde624f359ba
- https://github.com/simplesamlphp/simplesamlphp/commit/d26eb8f17dc9916a5ef2fd0a286b0fc96a561e71
- https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/201606-01.yaml
- https://simplesamlphp.org/security/201606-01
- https://github.com/advisories/GHSA-v858-922f-fj9v
Blast Radius: 13.5
Affected Packages
packagist:simplesamlphp/simplesamlphp
Dependent packages: 166Dependent repositories: 318
Downloads: 9,597,086 total
Affected Version Ranges: < 1.14.4
Fixed in: 1.14.4
All affected versions: 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3
All unaffected versions: 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.14.11, 1.14.12, 1.14.13, 1.14.14, 1.14.15, 1.14.16, 1.14.17, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.17.7, 1.17.8, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.18.7, 1.18.8, 1.18.9, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.19.6, 1.19.7, 1.19.8, 1.19.9, 2.0.0, 2.0.1, 2.0.2, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 99.99.99