Bug 38933 - simplesamlphp security: PHP code execution
simplesamlphp security: PHP code execution
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Florian Best
Erik Damrose
: interim-2
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-16 12:56 CEST by Florian Best
Modified: 2021-06-23 07:29 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-07-16 12:56:44 CEST
We are writing simplesamlphp PHP configuration files with a listener module.
There is no PHP escaping leading to broken config files and code-injections.

E.g. by entering the string as simplesamlLDAPattributes:
' . system('find / -delete') . '
Comment 1 Florian Best univentionstaff 2015-07-20 13:28:12 CEST
The listener module should do a PHP syntax check (php -lf filename.php) and fail if this wasn't successful. Entering anywhere a single-quote (') breaks the complete config.
Comment 2 Florian Best univentionstaff 2015-09-08 14:52:04 CEST
Everything is escaped now: strings, arrays, booleans.
A syntax check is also executed, if it fails to verify correct syntax, the file is not written.
Comment 3 Erik Damrose univentionstaff 2015-10-06 12:32:04 CEST
OK: Error message in listener.log if parsing fails
Reopen: Please add a changelog entry. It should mention that errors can be found in the listener log
Comment 4 Florian Best univentionstaff 2015-10-06 13:01:43 CEST
(In reply to Erik Damrose from comment #3)
> OK: Error message in listener.log if parsing fails
> Reopen: Please add a changelog entry. It should mention that errors can be
> found in the listener log
There still was a typo (' was not escaped into \'). This has been fixed.
Comment 5 Erik Damrose univentionstaff 2015-10-06 13:18:02 CEST
OK: changelog
OK: I could not reproduce any syntax errors
Verified
Comment 6 Stefan Gohmann univentionstaff 2015-11-17 12:12:49 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".