201809-03
Multiple XPath injections
Background
XMLSecLibs is a library written by Rob Richards that implements the xml-enc and xml-dsig W3C recommendations. It allows its users to handle encrypted and digitally signed XML documents. SimpleSAMLphp delegates encryption and signature handling to this library.
Description
The XMLSecLibs library uses XPath to query XML documents. An important use of these queries is reference resolution, which is needed to verify XML signatures. Since the identifier of the reference is provided by the user, it can be manipulated to include an XPath sub-expression that opens multiple attack vectors, from denial of service to signature verification bypass. The library does not include any mechanism to sanitize user input before using it in XPath queries, making it possible for a malicious third-party to alter pre-defined XPath expressions.
Affected versions
All robrichards/xmlseclibs versions 1.x, 2.x and 3.x are affected, up to (including) 1.4.2, 2.0.1 and 3.0.1, respectively.
Impact
No way to take advantage of this issue to bypass signature verification routines has been identified. However, other attack vectors might be viable and lead to serious consequences like denial of service.
Resolution
Upgrade to the latest versions of the library.
For SimpleSAMLphp users, run composer update
or upgrade to SimpleSAMLphp 1.16. Refer to the documentation for
instructions on how to run composer.
Credit
This security issue was discovered during a security audit performed by Cure53 and reported on December 18, 2017.