202309-01

Security header regression in SimpleSAMLphp 2.0

Description

Web pages can by default be loaded in HTML (i)frames from third party websites. This can be used by adversaries for so-called clickjacking attacks on a user, by presenting and controlling the legitimate web page from the surrounding frame.

SimpleSAMLphp 1.x would automatically send the HTTP header X-Frame-Options: SAMEORIGIN in any response. This prevents the browser from loading SimpleSAMLphp’s web pages in another HTML (i)frame, hardening against this class of attacks.

SimpleSAMLphp 2.0 unintentionally dropped sending this header on all responses, thereby reducing the hardening of SimpleSAMLphp responses against this class of attacks.

Affected versions

SimpleSAMLphp versions 2.0.0 up to 2.0.5 inclusive.

Impact

The hardening of a SimpleSAMLphp installation may be reduced relative to the 1.x version of this installation.

There are other ways for an installation to achieve the same hardning, e.g. setting the same header, or an appropriate header Content-Security-Policy with the frame-ancestors property, outside of SimpleSAMLphp. For example sending this header via the web server or load balancer in front of SimpleSAMLphp. Installations that set the same effective headers in this fashion are not affected.

Resolution

Upgrade the SimpleSAMLphp installation to version 2.0.6. This version by default restores the same HTTP security behaviour as was present in SimpleSAMLphp 1.x.

A new setting security.headers has been introduced that allows more finegrained control of this and other security-related HTTP readers. Refer to the shipped config.php.dist template for more information.

Alternatively or additionally you can ensure to set the security headers appropriate to your application and risk level via the webserver or load balancer software.

The website securityheaders.com can help assess your website’s security headers and opportunities to improve.

Credit

The regression in setting the security header was discovered and reported by Marcel Hellkamp.

Note that CVE id’s are not issued for missing security headers. Therefore this advisory will not get a CVE assigned.