Information Exposure Affecting simplesamlphp/simplesamlphp package, versions <1.18.6
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SIMPLESAMLPHPSIMPLESAMLPHP-567174
- published 23 Apr 2020
- disclosed 17 Apr 2020
- credit Sławek Naczyński
Introduced: 17 Apr 2020
CVE-2020-5301 Open this link in a new tabHow to fix?
Upgrade simplesamlphp/simplesamlphp
to version 1.18.6 or higher.
Overview
simplesamlphp/simplesamlphp is a PHP implementation of a SAML 2.0 service provider and identity provider, also compatible with Shibboleth 1.3 and 2.0.
Affected versions of this package are vulnerable to Information Exposure. The module controller in SimpleSAML\Module
that processes requests for pages hosted by modules, has code to identify paths ending with .php
and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. The check to identify paths ending with .php
does not account for uppercase letters. If someone requests a path ending with e.g. .PHP
and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows.