Skip to content

Incorrect signature verification for HTTP-Redirect binding

High
tvdijen published GHSA-46r4-f8gj-xg56 Mar 11, 2025

Package

composer simplesamlphp/saml2 (Composer)

Affected versions

<=v4.16.15
<=v5.0.0-alpha.19

Patched versions

v4.17.0
v5.0.0-alpha.20
composer simplesamlphp/saml2-legacy (Composer)
<=v4.16.15
v4.17.0

Description

Summary

There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.

I believe that it exists for v4 only. I have not yet developed a PoC.

V5 is well designed and instead builds the signed query from the same message that will be consumed.

Details

What is verified

The data['SignedQuery'] is the string that will be verified by the public key.

It is defined here:

saml2/src/SAML2/HTTPRedirect.php

Lines 178 to 217 in 9545abd

private static function parseQuery() : array
{
/*
* Parse the query string. We need to do this ourself, so that we get access
* to the raw (urlencoded) values. This is required because different software
* can urlencode to different values.
*/
$data = [];
$relayState = '';
$sigAlg = '';
$sigQuery = '';
foreach (explode('&', $_SERVER['QUERY_STRING']) as $e) {
$tmp = explode('=', $e, 2);
$name = $tmp[0];
if (count($tmp) === 2) {
$value = $tmp[1];
} else {
/* No value for this parameter. */
$value = '';
}
$name = urldecode($name);
$data[$name] = urldecode($value);
switch ($name) {
case 'SAMLRequest':
case 'SAMLResponse':
$sigQuery = $name.'='.$value;
break;
case 'RelayState':
$relayState = '&RelayState='.$value;
break;
case 'SigAlg':
$sigAlg = '&SigAlg='.$value;
break;
}
}
$data['SignedQuery'] = $sigQuery.$relayState.$sigAlg;
return $data;

THe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery.

For example, given:

SAMLRequest=a&SAMLResponse=idpsigned

SAMLResponse=idpsigned will be set as sigQuery, then later verified

What is actually processed

Processing uses SAMLRequest parameter value first, (if it exists) then SAMLResponse:

saml2/src/SAML2/HTTPRedirect.php

Lines 104 to 113 in 9545abd

public function receive(): Message
{
$data = self::parseQuery();
if (array_key_exists('SAMLRequest', $data)) {
$message = $data['SAMLRequest'];
} elseif (array_key_exists('SAMLResponse', $data)) {
$message = $data['SAMLResponse'];
} else {
throw new \Exception('Missing SAMLRequest or SAMLResponse parameter.');
}

Given this, the contents that are processed might not be the same as the data that is actually verified.

Exploiting

Suppose an attacker has a signed HTTP Redirect binding from IdP, say a signed logout response. :

SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature

Then an attacker can append SAMLRequest in front:

SAMLRequest=unverifieddata&SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature=..

SimpleSAMLPhp will only verify the SAMLResponse, but will actually use the SAMLRequest contents. The impact here is increased because there's no checks that SAMLRequest actually contains a Request, it could instead contain an Response, which allows the attacker to effectively impersonate any user within the SP.

IdPs

Microsoft Azure AD/Entra (and likely ADFS) signs the LogoutResponse via this SimpleSign format in HTTP Redirect binding. If an attacker logs out of Entra, they will be able to extract a valid Signature.

Attached is an HTTP Request when an I initiated a SLO request from the service provider to the IdP (entra). Then IdP POSTed this SAMLResponse with HTTP Redirect binding signature, via the user browser to the SP. It should be possible to carry out the described attack with this.

https://webhook.site/c6038292-6ef5-46ac-973d-d7c25520ec48/logout?SAMLResponse=fVJNa%2bMwEP0rRndZtmw5tnAMy%2fYSaC9N6aGXIsmjVMTRGI9M%2bvObdeihsPQ4w7x5HzM9mcs060c84ZqegWaMBNnhYc%2fejS1UW1TAnVU7XldK8s7JkcvOd60Db3zTsewVFgoY90zmBcsORCscIiUT061VyJqXJS%2fbl7LRUmrZ5mXdvLHsASiFaNKG%2fEhpJi3EFewH4jmnkEC4pqha2UnegFe8bozj3a4a%2bbhzUilZgKtbMW2yb7TxW%2foL7lkM9hTC2XnEOPvZXjDECb2N1lh7mvBsp%2bnsErDs8zJF0lsEe7YuUaOhQDqaC5BOTh%2f%2fPD3qmzE9L5jQ4cSGfrO43KG%2fgwwRLP8ssuHbIiXKryGOeKU8QhLSVN7WteejV8Bru%2bt4WynFbwE3bdVV5ahG0Ys759Dfj3VMJq30s%2fqLI2SvZlrhd020Tevj6hwQMTH04udS8b%2bHGL4A&Signature=Z%2f7gIPv7Gkgvqtwo0bzgXyum9IjHMfP0zTYuNbl%2fBUGlQ%2fU%2bbOZGZJ6Rk9wLUyvNQ5XlZRxZrfESNA%2bn0CVyIedsg9GxQKTi7VqPTJFJqEIP1BZaEpYYP3%2f6sFfLxfTMKecJoQdxnDE5Malte1hMj2UujWnLXOnp0CgO%2f%2fU2K52SoGckIzNDRB%2fJ6%2fysTn%2bDjBrmgdro%2fgdTyby9%2f3vm8dzY8pUkRCgMjlimShrZxr5U33wQvwPLIXlDgActr91RUtWKE0k8sy%2brshrK9DKLPo8AdTLk7NYhjSWdF7OG7uqgEeEo470tacqQuA09E0qDh8CWS%2bycLJijiGYWVyQa4Q%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CVE ID

CVE-2025-27773

Weaknesses

Credits