Use of insecure connection charset (sqlauth module)
The sqlauth module provides an authentication source (
sqlauth:SQL) that allows authenticating users against a
database holding their credentials. This module supports any database backend supported by PDO, including MySQL, and
the use of unicode code points is allowed both for usernames and passwords.
Regarding unicode support, MySQL has long supported the
utf8 charset for database, table and column names, as well as
for actual contents and connections. This charset, though, only partially implements UTF-8 encoding, despite its
utf8 connection charset is used by the
sqlauth:SQL authentication source in the sqlauth module. Due to the
lack of proper support for UTF-8 encoding provided by this charset, encoded symbols that take up four bytes instead of
three or less aren’t supported. This issue, together with the fact that MySQL truncates a query when an unsupported
character is found (in this case, any unicode code point represented with four bytes), could lead to serious security
issues such as authentication bypass, unauthorized database manipulation or stored Cross-Site Scripting attacks.
Two mitigating factors concur in this case, making the issue not exploitable to the best of our knowledge:
- The module uses prepared statements to avoid SQL injections. This is an effective countermeasure to avoid SQL query truncation on unsupported characters.
- The issue is typically exploited with insert or update statements. That would allow an attacker to alter the HTML output produced by a page and execute arbitrary code on the victim’s browser (stored XSS). This module uses select statements, effectively removing the possibility to store arbitrary code to be executed.
In order to avoid any possible future issues, the connection charset has been changed from
using a MySQL backend, which implements full unicode support.
All SimpleSAMLphp versions up to (and including) 1.15.1.
At of the moment of this writing, there is no known way to exploit the issue described in this advisory.
However, the issue could be leveraged by an attacker in combination with other unknown issues in order to:
- bypass authentication.
- access and modify the contents of the user’s credentials database.
- perform stored Cross-Site Scripting attacks, running arbitrary code in the victim’s web browser.
Upgrade to the latest version.
This security issue was discovered during a security audit performed by Cure53 and reported on December 18, 2017.