simplesamlphp is vulnerable to information disclosure. It does not properly handle a request with an uppercase file extension (‘.PHP’), causing the server to disclose the contents of the file by sending to the browser instead of executing it and therefore leaking the sensitive source code in third-party modules.