mahara-contributors team mailing list archive

[Lisa Seeto <1889485@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

>From https://simplesamlphp.org/security/202004-01:

Date
April 03, 2020
Affected versions
SimpleSAMLphp 1.18.5 and older
Severity
Low

Background

The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser.
Description

The check to identify paths ending with .php does not account for uppercase letters. If someone requests a path ending with e.g. .PHP and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser.
Affected versions

SimpleSAMLphp versions 1.18.5 and older.

We will upgrade to version 1.18.7

** Affects: mahara
     Importance: High
     Assignee: Lisa Seeto (lisaseeto)
         Status: Confirmed

** Affects: mahara/19.04
     Importance: High
         Status: Confirmed

** Affects: mahara/19.10
     Importance: High
         Status: Confirmed

** Affects: mahara/20.04
     Importance: High
         Status: Confirmed

** Affects: mahara/20.10
     Importance: High
     Assignee: Lisa Seeto (lisaseeto)
         Status: Confirmed

** Changed in: mahara
    Milestone: None => 19.10.4

** Changed in: mahara
    Milestone: 19.10.4 => None

** Changed in: mahara
    Milestone: None => 19.04.6

** Also affects: mahara/19.10
   Importance: Undecided
       Status: New

** Also affects: mahara/19.04
   Importance: Undecided
       Status: New

** Also affects: mahara/20.10
   Importance: High
       Status: New

** Also affects: mahara/20.04
   Importance: Undecided
       Status: New

** Changed in: mahara/20.10
    Milestone: 19.04.6 => 20.10.0

** Changed in: mahara/20.04
    Milestone: None => 20.04.1

** Changed in: mahara/20.10
    Milestone: 20.10.0 => None

** Changed in: mahara/20.10
    Milestone: None => 20.10.0

** Changed in: mahara/19.10
    Milestone: None => 19.10.4

** Changed in: mahara/19.04
    Milestone: None => 19.04.6

** Changed in: mahara/20.10
       Status: New => In Progress

** Changed in: mahara/20.10
     Assignee: (unassigned) => Lisa Seeto (lisaseeto)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1889485

Title:
  Security Upgrade SimpleSAML 1.18.4 to 1.18.7

Status in Mahara:
  Confirmed
Status in Mahara 19.04 series:
  Confirmed
Status in Mahara 19.10 series:
  Confirmed
Status in Mahara 20.04 series:
  Confirmed
Status in Mahara 20.10 series:
  Confirmed

Bug description:
  From https://simplesamlphp.org/security/202004-01:

  Date
  April 03, 2020
  Affected versions
  SimpleSAMLphp 1.18.5 and older
  Severity
  Low

  Background

  The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser.
  Description

  The check to identify paths ending with .php does not account for uppercase letters. If someone requests a path ending with e.g. .PHP and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser.
  Affected versions

  SimpleSAMLphp versions 1.18.5 and older.

  We will upgrade to version 1.18.7

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1889485/+subscriptions