{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/simplesamlphp/simplesamlphp-module-casserver--7.0.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["simplesamlphp/simplesamlphp-module-casserver \u003c= 7.0.2"],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-deletion","simplesamlphp"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eA path traversal vulnerability exists within the \u003ccode\u003esimplesamlphp-module-casserver\u003c/code\u003e module, specifically affecting deployments that utilize the \u003ccode\u003eFileSystemTicketStore\u003c/code\u003e. This vulnerability, identified as CVE-2026-46491, arises from the direct concatenation of the configured ticket directory with attacker-controlled ticket identifiers received via the \u003ccode\u003eticket\u003c/code\u003e or \u003ccode\u003epgt\u003c/code\u003e query parameters in public CAS validation/proxy endpoints. By injecting path traversal sequences (e.g., \u003ccode\u003e../target.serialized\u003c/code\u003e) into these parameters, attackers can read and unserialize arbitrary files outside the designated ticket directory. Furthermore, the CAS 1.0 validation flow can lead to the deletion of attacker-specified files if the PHP process has sufficient permissions and the file contents can be unserialized into a compatible type. This issue impacts versions of \u003ccode\u003ecomposer/simplesamlphp/simplesamlphp-module-casserver\u003c/code\u003e up to and including 7.0.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a SimpleSAMLphp instance with the casserver module enabled and configured to use FileSystemTicketStore.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious CAS validation/proxy request containing a \u003ccode\u003eticket\u003c/code\u003e or \u003ccode\u003epgt\u003c/code\u003e parameter with a path traversal sequence (e.g., \u003ccode\u003e../target.serialized\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe SimpleSAMLphp application receives the request and concatenates the attacker-controlled \u003ccode\u003eticket\u003c/code\u003e parameter with the configured ticket directory.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read the file at the constructed path using \u003ccode\u003egetTicket()\u003c/code\u003e. Due to the path traversal, the file accessed is outside the intended ticket directory.\u003c/li\u003e\n\u003cli\u003eIf the file contains valid serialized PHP data, the application unserializes its content.\u003c/li\u003e\n\u003cli\u003eIn the CAS 1.0 validation flow, the application calls \u003ccode\u003edeleteTicket()\u003c/code\u003e with the same attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf the PHP process has sufficient permissions and the unserialized content meets certain criteria (e.g., an array or null), the target file is deleted.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized file read and potentially deletion, impacting system integrity and confidentiality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-46491) allows remote attackers to bypass intended file access restrictions. Confirmed impacts include the ability to read and unserialize arbitrary files outside the designated ticket cache, potentially exposing sensitive data. Furthermore, under specific conditions within the CAS 1.0 validation flow, attackers can delete files outside the ticket cache, leading to denial-of-service or data loss scenarios. The severity of file deletion depends on the filesystem permissions of the PHP process and the content of the targeted file. This could potentially lead to destruction of CAS tickets, serialized SimpleSAMLphp runtime/cache files, or other writable files whose contents can be unserialized into a value accepted by the \u003ccode\u003e?array\u003c/code\u003e return type.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecomposer/simplesamlphp/simplesamlphp-module-casserver\u003c/code\u003e package to a version greater than 7.0.2 to remediate CVE-2026-46491.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003eticket\u003c/code\u003e and \u003ccode\u003epgt\u003c/code\u003e parameters to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SimpleSAMLphp FileSystemTicketStore Path Traversal Attempt\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict the filesystem permissions of the PHP process to minimize the impact of potential file deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:10:59Z","date_published":"2026-05-15T18:10:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-simplesamlphp-traversal/","summary":"A path traversal vulnerability in SimpleSAMLphp's casserver module allows remote attackers to read and potentially delete arbitrary files outside the ticket directory by manipulating the ticket parameter in CAS validation requests, impacting confidentiality and integrity.","title":"SimpleSAMLphp casserver FileSystemTicketStore Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-simplesamlphp-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Simplesamlphp/Simplesamlphp-Module-Casserver \u003c= 7.0.2","version":"https://jsonfeed.org/version/1.1"}