SimpleSAMLphp uses metadata to determine how to interact with other SAML entities. This metadata includes what’s called endpoints, which are URLs belonging to that entity where SAML messages can be sent. These URLs are used directly by SimpleSAMLphp when a message is sent, either via an HTTP redirection or by automatically posting a form to them.
When sending a SAML message to another entity, SimpleSAMLphp will use the URL of the appropriate endpoint to redirect the user’s browser to it, or craft a form that will be automatically posted to it, depending on the SAML binding used. The URL that’s target of the message is fetched from the stored metadata for the given entity, and that metadata is trusted as correct.
All SimpleSAMLphp versions are affected, up to 1.17.2.
Even though it’s unlikely that an administrator would add metadata for an entity that contains such endpoints inadvertently, if metadata is consumed automatically (e.g. using metarefresh) it would be easier to have an scenario like the one described here if a SAML entity is compromised and its metadata modified.
The severity is assessed as medium given the difficulty to exploit the issue.
Upgrade to the latest version of SimpleSAMLphp.
This security issue was discovered by avlidienbrunn, and reported by Steve Manzuik on July 5, 2019.