Session Fixation and Authentication Bypass Vulnerability in SimpleSAMLphp

Session Fixation and Authentication Bypass Vulnerability in SimpleSAMLphp

CVE-2017-12868 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.

Learn more about our Web Application Penetration Testing UK.