Univention Bugzilla – Bug 38933
simplesamlphp security: PHP code execution
Last modified: 2021-06-23 07:29:14 CEST
We are writing simplesamlphp PHP configuration files with a listener module. There is no PHP escaping leading to broken config files and code-injections. E.g. by entering the string as simplesamlLDAPattributes: ' . system('find / -delete') . '
The listener module should do a PHP syntax check (php -lf filename.php) and fail if this wasn't successful. Entering anywhere a single-quote (') breaks the complete config.
Everything is escaped now: strings, arrays, booleans. A syntax check is also executed, if it fails to verify correct syntax, the file is not written.
OK: Error message in listener.log if parsing fails Reopen: Please add a changelog entry. It should mention that errors can be found in the listener log
(In reply to Erik Damrose from comment #3) > OK: Error message in listener.log if parsing fails > Reopen: Please add a changelog entry. It should mention that errors can be > found in the listener log There still was a typo (' was not escaped into \'). This has been fixed.
OK: changelog OK: I could not reproduce any syntax errors Verified
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".