Bug 43873 - PHP tries to execute (remote) code returned by HTTP redirection?
PHP tries to execute (remote) code returned by HTTP redirection?
Status: CLOSED DUPLICATE of bug 43783
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Florian Best
Erik Damrose
: interim-4
: 43879 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-15 13:48 CET by Philipp Hahn
Modified: 2017-04-04 18:29 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2017-03-15 13:48:26 CET
15.03.17 13:41:16.525  LISTENER    ( WARN    ) : initializing module univention-saml-simplesamlphp-configuration
15.03.17 13:41:16.867  LISTENER    ( ERROR   ) : broken PHP syntax(255) in /etc/simplesamlphp/metadata.d/https:__master42.phahn.dev_univention_saml_metadata.php: PHP Parse error:  syntax error, unexpected '<', expecting end of file in /etc/simplesamlphp/metadata.d/https:__master42.phahn.dev_univention_saml_metadata.php on line 2
Errors parsing /etc/simplesamlphp/metadata.d/https:__master42.phahn.dev_univention_saml_metadata.php

15.03.17 13:41:16.867  LISTENER    ( ERROR   ) : repr('<?php\n<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml">\n  <head>\n    <meta http-equiv="content-type" content="text/html; charset=utf-8">\n    <title>Redirect</title>\n  </head>\n  <body>\n    <h1>Redirect</h1>\n      <p>You were redirected to: <a id="redirlink" href="http://localhost/simplesamlphp/module.php/core/loginuserpass.php?AuthState=_aa30bd0628b1e143768fb71375a8de61126c73a95b%3Ahttp%3A%2F%2Flocalhost%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Dadmin%26ReturnTo%3Dhttp%253A%252F%252Flocalhost%252Fsimplesamlphp%252Fmodule.php%252Fcore%252Fpostredirect.php%253FRedirId%253D_abfccffdc6de4e480a0e691cf8f5a8ff5702c66e36">http://localhost/simplesamlphp/module.php/core/loginuserpass.php?AuthState=_aa30bd0628b1e143768fb71375a8de61126c73a95b%3Ahttp%3A%2F%2Flocalhost%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Dadmin%26ReturnTo%3Dhttp%253A%252F%252Flocalhost%252Fsimplesamlphp%252Fmodule.php%252Fcore%252Fpostredirect.php%253FRedirId%253D_abfccffdc6de4e480a0e691cf8f5a8ff5702c66e36</a>\n        <script type="text/javascript">document.getElementById("redirlink").focus();</script>\n      </p>\n  </body>\n</html>$further = array(\n\t\'simplesaml.nameidattribute\'\t=> \'uid\',\n\t\'simplesaml.attributes\'\t=> true,\n\t\'attributes\'\t=> array(\'uid\'),\n\t\'attributes.NameFormat\'\t=> \'urn:oasis:names:tc:SAML:2.0:attrname-format:uri\',\n\t\'OrganizationName\'\t=> \'Univention Management Console master42.phahn.dev\',\n\t\'authproc\' => array(\n\t\t100 => array(\'class\' => \'core:AttributeMap\', \'name2oid\'),\n\t),\n);\n$metadata[\'https://master42.phahn.dev/univention/saml/metadata\'] = array_merge($metadata[\'https://master42.phahn.dev/univention/saml/metadata\'], $further);')
15.03.17 13:41:16.869  LISTENER    ( WARN    ) : finished initializing module univention-saml-simplesamlphp-configuration with rv=015.03.17 13:41:16.525  LISTENER    ( WARN    ) : initializing module univention-saml-simplesamlphp-configuration
15.03.17 13:41:16.867  LISTENER    ( ERROR   ) : broken PHP syntax(255) in /etc/simplesamlphp/metadata.d/https:__master42.phahn.dev_univention_saml_metadata.php: PHP Parse error:  syntax error, unexpected '<', expecting end of file in /etc/simplesamlphp/metadata.d/https:__master42.phahn.dev_univention_saml_metadata.php on line 2
Errors parsing /etc/simplesamlphp/metadata.d/https:__master42.phahn.dev_univention_saml_metadata.php

15.03.17 13:41:16.867  LISTENER    ( ERROR   ) : repr('<?php\n<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml">\n  <head>\n    <meta http-equiv="content-type" content="text/html; charset=utf-8">\n    <title>Redirect</title>\n  </head>\n  <body>\n    <h1>Redirect</h1>\n      <p>You were redirected to: <a id="redirlink" href="http://localhost/simplesamlphp/module.php/core/loginuserpass.php?AuthState=_aa30bd0628b1e143768fb71375a8de61126c73a95b%3Ahttp%3A%2F%2Flocalhost%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Dadmin%26ReturnTo%3Dhttp%253A%252F%252Flocalhost%252Fsimplesamlphp%252Fmodule.php%252Fcore%252Fpostredirect.php%253FRedirId%253D_abfccffdc6de4e480a0e691cf8f5a8ff5702c66e36">http://localhost/simplesamlphp/module.php/core/loginuserpass.php?AuthState=_aa30bd0628b1e143768fb71375a8de61126c73a95b%3Ahttp%3A%2F%2Flocalhost%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Dadmin%26ReturnTo%3Dhttp%253A%252F%252Flocalhost%252Fsimplesamlphp%252Fmodule.php%252Fcore%252Fpostredirect.php%253FRedirId%253D_abfccffdc6de4e480a0e691cf8f5a8ff5702c66e36</a>\n        <script type="text/javascript">document.getElementById("redirlink").focus();</script>\n      </p>\n  </body>\n</html>$further = array(\n\t\'simplesaml.nameidattribute\'\t=> \'uid\',\n\t\'simplesaml.attributes\'\t=> true,\n\t\'attributes\'\t=> array(\'uid\'),\n\t\'attributes.NameFormat\'\t=> \'urn:oasis:names:tc:SAML:2.0:attrname-format:uri\',\n\t\'OrganizationName\'\t=> \'Univention Management Console master42.phahn.dev\',\n\t\'authproc\' => array(\n\t\t100 => array(\'class\' => \'core:AttributeMap\', \'name2oid\'),\n\t),\n);\n$metadata[\'https://master42.phahn.dev/univention/saml/metadata\'] = array_merge($metadata[\'https://master42.phahn.dev/univention/saml/metadata\'], $further);')
15.03.17 13:41:16.869  LISTENER    ( WARN    ) : finished initializing module univention-saml-simplesamlphp-configuration with rv=0
Comment 1 Florian Best univentionstaff 2017-03-15 14:04:22 CET
No, it just validates the PHP syntax it does not execute it.
Comment 2 Florian Best univentionstaff 2017-03-15 15:58:52 CET
univention-saml (4.0.12-1):
r77740 | Bug #43873: Bug #43783: fix API change of simplesamlphp

For security reasons (DoS) the create-metadata.php is only available for
logged in administrators anymore. Therefore we need to copy parts of the code for our CLI script.

*** This bug has been marked as a duplicate of bug 43783 ***
Comment 3 Florian Best univentionstaff 2017-03-15 15:59:09 CET
*** Bug 43879 has been marked as a duplicate of this bug. ***
Comment 4 Erik Damrose univentionstaff 2017-03-20 17:59:39 CET
Verified
Comment 5 Stefan Gohmann univentionstaff 2017-04-04 18:29:05 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".