simpleSAMLphp-1.6.3 is available, with a security fix

It has come to our attention that simpleSAMLphp suffers from a user-assisted cross site scripting bug with certain browsers. Version 1.6.3 fixes this vulnerability.

The new version can be downloaded from:

sha1sum:

bb4d0307547d3a50a756d4525ef0aee704046160  simplesamlphp-1.6.3.tar.gz

Technical details:

Many pages in simpleSAMLphp takes an URL from a query string to determine which URL we should redirect the user to. Unfortunately, we did not check the type of URL that we redirect the user to, which makes it easy to make an simpleSAMLphp installation redirect the user to an javascript:-URI. Most browsers will then display an error page, but Firefox displays the redirect page instead.

The redirect-page then contains a clickable javascript:-URI, which an user is likely to try to click. Since this javascript:-URI comes from the request URL, but is executed in the context of the site doing the redirect, this may allow a remote attacker to trick users into running arbitrary javascript on a site running simpleSAMLphp.

Credit to Alessandro Armando, Roberto Carbone, Matteo Grasso and Alessandro Sorniotti (AVANTSSAR Project) for reporting this issue.

Leave a Reply