201809-02

Dangerous use of file_get_contents

Background

XMLSecLibs is a library written by Rob Richards that implements the xml-enc and xml-dsig W3C recommendations. It allows its users to handle encrypted and digitally signed XML documents. SimpleSAMLphp delegates encryption and signature handling to this library.

Description

When processing node references in the getRefNodeID() function of the XMLSecurityDSig class, URIs are parsed by means of the parse_url() function. When no fragment is parsed by the function, the URI is considered an external reference that needs to be loaded, and the file_get_contents() function is used for that.

Unfortunately, file_get_contents() is a dangerous function when used with data obtained from user input, as it is the case. Using it could allow diverse kinds of attacks, from Denial of Service to loading of remote malicious resources.

Affected versions

All robrichards/xmlseclibs versions 1.x, 2.x and 3.x are affected, up to (including) 1.4.2, 2.0.1 and 3.0.1, respectively.

Impact

No way to take advantage of this issue has been identified, given that the argument passed to file_get_contents() is the object result of parsing a URI, instead of the string containing the URI itself.

Resolution

Upgrade to the latest versions of the library.

For SimpleSAMLphp users, run composer update or upgrade to SimpleSAMLphp 1.16. Refer to the documentation for instructions on how to run composer.

Credit

This security issue was discovered during a security audit performed by Cure53 and reported on December 18, 2017.