201809-03

Multiple XPath injections

Background

XMLSecLibs is a library written by Rob Richards that implements the xml-enc and xml-dsig W3C recommendations. It allows its users to handle encrypted and digitally signed XML documents. SimpleSAMLphp delegates encryption and signature handling to this library.

Description

The XMLSecLibs library uses XPath to query XML documents. An important use of these queries is reference resolution, which is needed to verify XML signatures. Since the identifier of the reference is provided by the user, it can be manipulated to include an XPath sub-expression that opens multiple attack vectors, from denial of service to signature verification bypass. The library does not include any mechanism to sanitize user input before using it in XPath queries, making it possible for a malicious third-party to alter pre-defined XPath expressions.

Affected versions

All robrichards/xmlseclibs versions 1.x, 2.x and 3.x are affected, up to (including) 1.4.2, 2.0.1 and 3.0.1, respectively.

Impact

No way to take advantage of this issue to bypass signature verification routines has been identified. However, other attack vectors might be viable and lead to serious consequences like denial of service.

Resolution

Upgrade to the latest versions of the library.

For SimpleSAMLphp users, run composer update or upgrade to SimpleSAMLphp 1.16. Refer to the documentation for instructions on how to run composer.

Credit

This security issue was discovered during a security audit performed by Cure53 and reported on December 18, 2017.