Security Upgrade SimpleSAML 1.18.4 to 1.18.7
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Mahara | ||||||
19.04 |
Fix Released
|
High
|
Unassigned | |||
19.10 |
Fix Released
|
High
|
Unassigned | |||
20.04 |
Fix Released
|
High
|
Unassigned | |||
20.10 |
Fix Released
|
High
|
Lisa Seeto |
Bug Description
From https:/
Date
April 03, 2020
Affected versions
SimpleSAMLphp 1.18.5 and older
Severity
Low
Background
The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser.
Description
The check to identify paths ending with .php does not account for uppercase letters. If someone requests a path ending with e.g. .PHP and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser.
Affected versions
SimpleSAMLphp versions 1.18.5 and older.
We will upgrade to version 1.18.7
Changed in mahara: | |
milestone: | none → 19.10.4 |
milestone: | 19.10.4 → none |
milestone: | none → 19.04.6 |
Changed in mahara: | |
milestone: | 20.10.0 → none |
no longer affects: | mahara |
This patch introduces an error, currently produces the following while trying to log in via saml login:
[WAR] 84 (auth/saml/ extlib/ simplesamlphp/ vendor/ robrichards/ xmlseclibs/ src/XMLSecurity Key.php: 499) openssl_sign(): supplied key param cannot be coerced into a private key
Call stack (most recent first):
log_ message( "openssl_ sign(): supplied key param cannot be coerc...", 8, true, true, "/home/ lisaseeto/ code/mahara/ htdocs/ auth/saml/ extli.. .", 499) at /home/lisaseeto /code/mahara/ htdocs/ lib/errors. php:521 lisaseeto/ code/mahara/ htdocs/ auth/saml/ extli.. .", 499, array(size 3)) at Unknown:0 sign("SAMLReque st=fVJdb8IgFP0r De%2BVWr9aoiZOs 8zETbO6Pexl. ..", null, false, "SHA256") at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ vendor/ robrichards/ xmlseclibs/ src/XMLSecurity Key.php: 499 \XMLSecLibs\ XMLSecurityKey- >signOpenSSL( "SAMLRequest= fVJdb8IgFP0rDe% 2BVWr9aoiZOs8zE TbO6Pexl. ..") at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ vendor/ robrichards/ xmlseclibs/ src/XMLSecurity Key.php: 580 \XMLSecLibs\ XMLSecurityKey- >signData( "SAMLRequest= fVJdb8IgFP0rDe% 2BVWr9aoiZOs8zE TbO6Pexl. ..") at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ vendor/ simplesamlphp/ saml2/src/ SAML2/HTTPRedir ect.php: 61 HTTPRedirect- >getRedirectURL (object( SAML2\AuthnRequ est)) at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ vendor/ simplesamlphp/ saml2/src/ SAML2/HTTPRedir ect.php: 84 HTTPRedirect- >send(object( SAML2\AuthnRequ est)) at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ modules/ saml/lib/ Auth/Source/ SP.php: 704 Module\ saml\Auth\ Source\ SP->sendSAML2Au thnRequest( array(size 18), object( SAML2\HTTPRedir ect), object( SAML2\AuthnRequ est)) at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ modules/ saml/lib/ Auth/Source/ SP.php: 686 Module\ saml\Auth\ Source\ SP->startSSO2( object( SimpleSAML\ Configuration) , array(size 18)) at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ modules/ saml/lib/ Auth/Source/ SP.php: 728 Module\ saml\Auth\ Source\ SP->startSSO( "http:// idp1:8084/ simplesaml/ saml2/idp/ metadata. php", array(size 15)) at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ modules/ saml/lib/ Auth/Source/ SP.php: 826 Module\ saml\Auth\ Source\ SP->authenticat e(array( size 15)) at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ lib/SimpleSAML/ Auth/Source. php:208 Auth\Source- >initLogin( "http:// mahara/ auth/saml/ index.php", null, array(size 3)) at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ lib/SimpleSAML/ Auth/Simple. php:167 Auth\Simple- >login( array(size 3)) at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ extlib/ simplesamlphp/ lib/SimpleSAML/ Auth/Simple. php:109 Auth\Simple- >requireAuth( array(size 2)) at /home/lisaseeto /code/mahara/ htdocs/ auth/saml/ index.php: 127
error(2, "openssl_sign(): supplied key param cannot be coerc...", "/home/
openssl_
RobRichards
RobRichards
SAML2\
SAML2\
SimpleSAML\
SimpleSAML\
SimpleSAML\
SimpleSAML\
SimpleSAML\
SimpleSAML\
SimpleSAML\
[WAR] 84 (lib/errors. php:536) [SimpleSAML\ Error\Unseriali zableException] : Failure Signing Data: error:23077074: PKCS12 routines:PKCS12...