Bug 45393 - simplesamlphp exception stack traces are exposed
simplesamlphp exception stack traces are exposed
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Florian Best
Alexander Kläser
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-14 10:53 CEST by Florian Best
Modified: 2017-09-20 15:04 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017091321000666
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-09-14 10:53:34 CEST
BUSINESS RISK
====================
This ticket does not introduce a vulnerability by itself. The headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers. This facilitates further steps.
DESCRIPTION
====================
The remote application does not properly handle application errors, and application stacktraces are displayed to the end user leading to information disclosure vulnerability.
REMEDIATION
=================
1) Implement a standard exception handling mechanism to intercept all errors.
2) Ensure that version of the used framework and web server are not being exposed.

PROOF OF CONCEPT
====================
Request:
https://ucs-sso.eu.xyz.com/simplesamlphp/saml2/idp/SSOService.php?SAMLRequest[0]=DAVE
Response:
 
        <p style="margin: 1px">SimpleSAML_Error_Error: UNHANDLEDEXCEPTION</p>
        <pre style="padding: 1em; font-family: monospace;">Backtrace:
1 /usr/share/simplesamlphp/www/_include.php:43 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Missing SAMLRequest or SAMLResponse parameter.
Backtrace:
2 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:101 (SAML2_HTTPRedirect::receive)
1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:293 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)</pre>
REFERENCES
====================
http://cwe.mitre.org/data/definitions/388.html https://www.owasp.org/index.php/Error_Handling
Comment 1 Florian Best univentionstaff 2017-09-14 13:54:03 CEST
A new UCR variable has been introduces which makes this configurable:
'saml/idp/show-errors'

The default is set to true as it eases error reporting.
simplesamlphp is open source, UCS is open source, there are no security relevant information. Even the version number of simplesamlphp can be viewed by looking which UCS version is in use.

univention-saml (4.0.14-8):
2ef97577007803e37d882b0e2893fdd49d20bbcc | Merge branch 'fbest/45393-simplesamlphp-stacktraces' into 4.2-2
a140260cf3f7919c2c890840c3252d178f8909ed | Bug #45393: make displaying of simplesamlphp exceptions configurable

univention-saml.yaml:
2ef97577007803e37d882b0e2893fdd49d20bbcc | Merge branch 'fbest/45393-simplesamlphp-stacktraces' into 4.2-2
acb0c25df66b4871accdeb4176c68c8c9231ef72 | YAML Bug #45393
Comment 2 Alexander Kläser univentionstaff 2017-09-18 12:28:09 CEST
Works as expected. I adapted the YAML file entry and added the package version.

univention-saml.yaml:
9ea0be640966 | Bug #45393: adapt YAML entry + add package version

→ VERIFIED
Comment 3 Erik Damrose univentionstaff 2017-09-20 15:04:10 CEST
<http://errata.software-univention.de/ucs/4.2/170.html>