Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Log injection in SimpleSAMLphp
Vulnerability Description
Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, SimpleSAMLphp will output all its logs by appending each log line to a given file. Since the reportID parameter received in a request sent to www/errorreport.php was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
通过日志文件的信息暴露
Vulnerability Title
SimpleSAMLphp 日志信息泄露漏洞
Vulnerability Description
SimpleSAMLphp是一款实现了SAML 2.0服务提供者和标识提供者功能的PHP身份验证应用程序。 SimpleSAMLphp 1.18.4之前版本中存在日志信息泄露漏洞,该漏洞源于www/errorreport.php脚本未对reportID参数进行正确的清理。攻击者可利用该漏洞在SimpleSAMLphp文件中另起行并注入任意内容。
CVSS Information
N/A
Vulnerability Type
N/A