201801-03

Use of insecure connection charset (sqlauth module)

Background

The sqlauth module provides an authentication source (sqlauth:SQL) that allows authenticating users against a database holding their credentials. This module supports any database backend supported by PDO, including MySQL, and the use of unicode code points is allowed both for usernames and passwords.

Regarding unicode support, MySQL has long supported the utf8 charset for database, table and column names, as well as for actual contents and connections. This charset, though, only partially implements UTF-8 encoding, despite its name.

Description

The utf8 connection charset is used by the sqlauth:SQL authentication source in the sqlauth module. Due to the lack of proper support for UTF-8 encoding provided by this charset, encoded symbols that take up four bytes instead of three or less aren’t supported. This issue, together with the fact that MySQL truncates a query when an unsupported character is found (in this case, any unicode code point represented with four bytes), could lead to serious security issues such as authentication bypass, unauthorized database manipulation or stored Cross-Site Scripting attacks.

Two mitigating factors concur in this case, making the issue not exploitable to the best of our knowledge:

In order to avoid any possible future issues, the connection charset has been changed from utf8 to utf8mb4 when using a MySQL backend, which implements full unicode support.

Affected versions

All SimpleSAMLphp versions up to (and including) 1.15.1.

Impact

At of the moment of this writing, there is no known way to exploit the issue described in this advisory.

However, the issue could be leveraged by an attacker in combination with other unknown issues in order to:

Resolution

Upgrade to the latest version.

Credit

This security issue was discovered during a security audit performed by Cure53 and reported on December 18, 2017.