Skip to content

Information disclosure of source code in SimpleSAMLphp

Low severity GitHub Reviewed Published Apr 17, 2020 in simplesamlphp/simplesamlphp • Updated Feb 6, 2024

Package

composer simplesamlphp/simplesamlphp (Composer)

Affected versions

< 1.18.6

Patched versions

1.18.6

Description

Background

The module controller in SimpleSAML\Module that processes requests for pages
hosted by modules, has code to identify paths ending with .php and process
those as PHP code. If no other suitable way of handling the given path exists it
presents the file to the browser.

Description

The check to identify paths ending with .php does not account for uppercase
letters. If someone requests a path ending with e.g. .PHP and the server is
serving the code from a case-insensitive file system, such as on Windows, the
processing of the PHP code does not occur, and the source code is instead
presented to the browser.

Affected versions

SimpleSAMLphp versions 1.18.5 and older.

Impact

An attacker may use this issue to gain access to the source code in third-party
modules that is meant to be private, or even sensitive. However, the attack
surface is considered small, as the attack will only work when SimpleSAMLphp
serves such content from a file system that is not case-sensitive, such as on
Windows.

Resolution

Upgrade the SimpleSAMLphp installation to version 1.18.6.

Credit

This vulnerability was discovered and reported by Sławek Naczyński.

References

@olavmrk olavmrk published to simplesamlphp/simplesamlphp Apr 17, 2020
Reviewed Apr 21, 2020
Published by the National Vulnerability Database Apr 21, 2020
Published to the GitHub Advisory Database Apr 22, 2020
Last updated Feb 6, 2024

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

EPSS score

0.050%
(21st percentile)

CVE ID

CVE-2020-5301

GHSA ID

GHSA-24m3-w8g9-jwpq

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.