GHSA-vpr3-cw3h-prw8: SimpleSAMLphp Reflected Cross-site Scripting vulnerability
When sending a SAML message to another entity, SimpleSAMLphp will use the URL of the appropriate endpoint to redirect the user’s browser to it, or craft a form that will be automatically posted to it, depending on the SAML binding used. The URL that’s target of the message is fetched from the stored metadata for the given entity, and that metadata is trusted as correct.
However, if that metadata has been altered by a malicious party (either an attacker or a rogue administrator) to substitute the URLs of the endpoints with javascript code, SimpleSAMLphp was blindly using them without any validation, trusting the contents of the metadata. This would lead to a reflected XSS where the javascript code is sent inline to the web browser, and if SimpleSAMLphp is not using a strict Content Security Policy to forbid inline javascript (which is the case of the default user interface), then the code will be executed in the end user’s browser.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/2019-07-10.yaml
- github.com/advisories/GHSA-vpr3-cw3h-prw8
- github.com/simplesamlphp/simplesamlphp
- github.com/simplesamlphp/simplesamlphp/commit/ce2294e092b3be7db2fc4e18e774b791d4564ff3
- simplesamlphp.org/security/201907-01
Detect and mitigate GHSA-vpr3-cw3h-prw8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →