New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update PHP-SAML library to 2.10.0 to fix login security vulnerability #2819
Comments
@chris001 , is this any chance to ask you to work on it and create some PR? looks like you did a lot of the work already. |
@shogunpol
|
I'm afraid this patch seems to lead to an unparseable saml xml. See the following error from SAMLtracer:
When properly aligned, the arrow points at the question mark after 'index.php'.
I'm not sure how to fix this (yet), but maybe someone else has an idea. |
@ebogaard When do you get this error?
|
If it only needs quotes around the URL, that's a simple fix. |
To me it seems that the double quotes are the only problem (but I'm no SAML2.0 of xml-expert). Should I create a new issue, or do we continue in this issue? |
@ebogaard It'd probably be best to create a new issue on onelogin/php-saml at https://github.com/onelogin/php-saml/issues/new and include the link to this issue page, #2819 |
Okay, done: see issue #201 @ php-saml |
@ebogaard Also could you post in a new issue here, the lines from your php log showing the failed saml2 login error, they should say the error, name of the source code file and the line where the error happens. |
New issue opened: #3270 |
The SAML integration is based on a very old 2010 version of the Onelogin's SAML toolkit, which was found to be vulnerable to a signature-wrapping attack.
Issue
SAML is used to provide single sign on to web applications.
Expected Behavior
Update the SAML library to prevent login attacks.
Actual Behavior
The signature wrapping attack allows an attacker to login to a user account by signing the request multiple times.
Possible Fix
The PHP-SAML library should be updated and use the latest version 2.10.0 or newer, which has fixed the security issue:
https://github.com/onelogin/php-saml
The PHP-SAML toolkit also supports composer. You can find the
onelogin/php-saml
package at https://packagist.org/packages/onelogin/php-samlIn order to import the latest version of the saml toolkit, run:
composer require onelogin/php-saml
After installation has completed you'll find inside the
vendor/
folder a new folder namedonelogin
and inside,php-saml
. Make sure you are including the autoloader provided by composer. It can be found atvendor/autoload.php
.Important: When using composer, the x509 certs must be stored at
vendor/onelogin/php-saml/certs
and settings file stored atvendor/onelogin/php-saml
.Your settings are at risk of being deleted when updating packages using
composer update
or similar commands. So it is highly recommended that instead of using settings files, you pass the settings as an array directly to the constructor. If you do not use this approach your settings are at risk of being deleted when updating packages usingcomposer update
or similar commands.Steps to Reproduce
Context
Medium-High priority. It's a serious security issue. SAML is such a popular method of login because it's fast, protects passwords, reduces password proliferation. The PHP application SuiteCRM doesn't hold any user password data, only the identity provider, such as microsoft, facebook, twitter, google, holds the user's password data. The SuiteCRM PHP application is much harder to hack when users are logging in with SAML, because the hacker would need to attack the security of the Identity Provider (social network typically) yet social networks typically run high security, are constantly audited by world class security teams, and send highly deliverable email and push notifications, to the user, of any suspicious login activity coming from new devices and new locations.
Your Environment
The text was updated successfully, but these errors were encountered: