201603-01

Information leakage issue in the sanitycheck module

Background

The sanitycheck module, enabled by default, displays different kinds of information about a SimpleSAMLphp installation, aiming to help administrators to determine the correct behaviour of the software, as well as obtain valuable information that can be used to resolve problems. It can also be used by automated processes to determine the overall status of the software.

Description

An information leakage issue has been identified and corrected in the sanitycheck module. The issue allows attackers to obtain information about the exact version of PHP run by the affected system.

Affected versions

All SimpleSAMLphp versions prior to 1.14.1.

Impact

A remote attacker could learn information about the exact PHP version run by the affected system, allowing the search for vulnerabilities known to work with that version.

Resolution

Upgrade to the latest version.

Credit

This security issue was discovered and reported by Enrique de la Hoz.