Univention Bugzilla – Bug 51801
simplesamlphp: disable error reporting form
Last modified: 2020-08-26 16:35:35 CEST
Created attachment 10453 [details] example spam mail body The current SimpleSAMLPHP configuration shows an error reporting form if an error occurs. The user can enter details, and an email is dispatched to "root". This is a bad idea: we just had one customer where an automated bot tried thousands of exploits by POSTing data like "'); drop table …" to those form fields. They, in turn, generated an email per POST. And as we receive mail to "root" in real mailboxes, that mailbox was spammed with ~2.000 mails in 15 minutes before I had a chance to stop Postfix. Apart from it being an unnecessary source for potential spam I also don't consider that form to be really useful for regular people. Most wouldn't know what do enter as a useful description, even technically knowledgeable people would most likely fail to produce good bug reports solely via that form. Fortunately turning off said error reporting form is easy: just add "'errorreporting' => false," to "/etc/simplesamlphp/config.php" (or rather, the template it is generated from). Please consider turning the form off unconditionally, or at least make it configurable via a UCR variable. At the moment we have to keep modified templates around for it. Thanks.
Hi Moritz, does setting UCRv saml/idp/show-errors=false help as a workaround here?
With UCR set saml/idp/technicalcontactemail you can change the email address from root@domainname to something else.
Created attachment 10455 [details] patch (git:fbest/51801-saml-configurable-error-reporting)
(In reply to Florian Best from comment #3) > Created attachment 10455 [details] > patch (git:fbest/51801-saml-configurable-error-reporting) Patch contains small typo, use the version from git.
> does setting UCRv saml/idp/show-errors=false help as a workaround here? No, it doesn't. I tried that before adding "errorreporting" to the config.php without success. The form was still displayed, or rather, POSTs to it were still accepted. > With UCR set saml/idp/technicalcontactemail you can change the email address from root@domainname to something else. Yeah, but that isn't a solution, it just redirects the misuse somewhere else. Depending on your system setting this still allows the attacker to fill up your hard drive. It also still clogs up your resources. For our customer Postfix is configured to pass all mails through anti-spam daemons and those hog all CPUs. Thanks for looking into it & implementing a way to turn it off.
Added the UCR variable saml/idp/show-error-reporting to disable the PHP form which sends emails. Additionally some robustness fixes has been done to evaluation of some UCR variables. univention-saml (6.0.2-48) 48f9021754dc | Bug #51801: make saml/idp/ldap/get_attributes and saml/idp/ldap/search_attributes safe for UCRs bogus tab completion eb8faf1452ba | Bug #51801: make UCR variables boolean 42d7697c096c | Bug #51801: make error reporting configurable univention-saml.yaml b1523b7019a2 | YAML Bug #51801
Much appreciated! Thanks.
sorry, I commited some typos. They have been fixed in: univention-saml (6.0.2-50) f2925448b121 | Bug #51801: add missing bracket c2a94c347a70 | Bug #51801: add missing bracket
OK: The button to send error reports is diabled if saml/idp/show-errors=false is set OK: post request are ignored if saml/idp/show-errors=false is set OK: yaml -> verified
<https://errata.software-univention.de/#/?erratum=4.4x725>