Univention Bugzilla – Bug 45393
simplesamlphp exception stack traces are exposed
Last modified: 2017-09-20 15:04:10 CEST
BUSINESS RISK ==================== This ticket does not introduce a vulnerability by itself. The headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers. This facilitates further steps. DESCRIPTION ==================== The remote application does not properly handle application errors, and application stacktraces are displayed to the end user leading to information disclosure vulnerability. REMEDIATION ================= 1) Implement a standard exception handling mechanism to intercept all errors. 2) Ensure that version of the used framework and web server are not being exposed. PROOF OF CONCEPT ==================== Request: https://ucs-sso.eu.xyz.com/simplesamlphp/saml2/idp/SSOService.php?SAMLRequest[0]=DAVE Response: <p style="margin: 1px">SimpleSAML_Error_Error: UNHANDLEDEXCEPTION</p> <pre style="padding: 1em; font-family: monospace;">Backtrace: 1 /usr/share/simplesamlphp/www/_include.php:43 (SimpleSAML_exception_handler) 0 [builtin] (N/A) Caused by: Exception: Missing SAMLRequest or SAMLResponse parameter. Backtrace: 2 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:101 (SAML2_HTTPRedirect::receive) 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:293 (sspmod_saml_IdP_SAML2::receiveAuthnRequest) 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)</pre> REFERENCES ==================== http://cwe.mitre.org/data/definitions/388.html https://www.owasp.org/index.php/Error_Handling
A new UCR variable has been introduces which makes this configurable: 'saml/idp/show-errors' The default is set to true as it eases error reporting. simplesamlphp is open source, UCS is open source, there are no security relevant information. Even the version number of simplesamlphp can be viewed by looking which UCS version is in use. univention-saml (4.0.14-8): 2ef97577007803e37d882b0e2893fdd49d20bbcc | Merge branch 'fbest/45393-simplesamlphp-stacktraces' into 4.2-2 a140260cf3f7919c2c890840c3252d178f8909ed | Bug #45393: make displaying of simplesamlphp exceptions configurable univention-saml.yaml: 2ef97577007803e37d882b0e2893fdd49d20bbcc | Merge branch 'fbest/45393-simplesamlphp-stacktraces' into 4.2-2 acb0c25df66b4871accdeb4176c68c8c9231ef72 | YAML Bug #45393
Works as expected. I adapted the YAML file entry and added the package version. univention-saml.yaml: 9ea0be640966 | Bug #45393: adapt YAML entry + add package version → VERIFIED
<http://errata.software-univention.de/ucs/4.2/170.html>