Several scripts part of SimpleSAMLphp display a web page with links obtained from the request parameters. This allows us to enhance usability, as the users are presented with links they can follow after completing a certain action, like logging out.
The following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on:
All SimpleSAMLphp versions prior to 1.14.4.
A remote attacker could craft a link pointing to a trusted website running SimpleSAMLphp, including a parameter pointing to a malicious website, and try to fool the victim into visiting that website by clicking on a link in the page presented by SimpleSAMLphp.
Vendor | Product | Version | CPE |
---|---|---|---|
simplesamlphp | simplesamlphp | * | cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-v858-922f-fj9v
github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/201606-01.yaml
github.com/simplesamlphp/simplesamlphp/commit/b1af4e47c81bca2bee633b3f84f4fde624f359ba
github.com/simplesamlphp/simplesamlphp/commit/d26eb8f17dc9916a5ef2fd0a286b0fc96a561e71
simplesamlphp.org/security/201606-01