GHSA-fjr2-r2mp-484p: 
PHP vulnerability analysis and mitigation

A critical signature validation bypass vulnerability was discovered in SimpleSAMLphp versions up to 1.14.16, identified as CVE-2017-18122. The vulnerability was discovered on October 22, 2017, and publicly disclosed on October 25, 2017. This security flaw affects the SimpleSAMLXMLValidator class, which is responsible for verifying XML digital signatures in SAML 1 messages (SimpleSAMLphp Advisory).

The vulnerability stems from a lax comparison in the isNodeValidated() method of the SimpleSAMLXMLValidator class. The method uses PHP's in_array() function without strict type checking to verify if DOM nodes are in the validNodes array. Due to PHP's default loose type comparison behavior, the presence of any DOM node in the list causes the function to return true for any DOM node being checked, effectively bypassing the signature validation process (GitHub Advisory).

The vulnerability allows attackers to impersonate any user from any SAML 1 Identity Provider trusted by a SimpleSAMLphp Service Provider. The only prerequisite is having access to a valid assertion previously sent to the affected Service Provider. The impact is particularly severe for SimpleSAMLphp installations with metadata deployed for SAML 1 Identity Providers, typically listed in the metadata/shib13-idp-remote.php file (SimpleSAMLphp Advisory).

The recommended mitigation is to upgrade to SimpleSAMLphp version 1.14.17 or later. For cases where immediate upgrade isn't possible, a patch is available that modifies the inarray() function call in the SimpleSAMLXML_Validator class to use strict comparisons by adding a third parameter 'true' (SimpleSAMLphp Advisory).