2 vulnerabilties in phpCAS

[Joachim Fritschi <fritschi () hrz tu-darmstadt de>]

Hi all,

the phpCAS library [1] contains 2 security vulnerabilties that have been 
fixed in the new phpCAS release [2]. Redhat already provided CVE 
numbers, thanks.

A: CVE-2010-2795 (PHPCAS-61) [3] is a serious issue. It allows you to 
hijack any authenticated user session if get access to a users service 
ticket in any way. The submitted service ticket was used to rename the 
http session before actually validating the ticket. If you intercept or 
guess a service ticket you can hijack a user session without proper 
ticket validation.

B: CVE-2010-2796 (PHPCAS-67) [4] is a minor issue. phpCAS is not 
sanatizing a submitted value. Might be usable for XSS in cas proxy mode.


The phpCAS library is included in multiple other projects:
glpi,moodle,tikiwiki,claroline etc. that might be vulnerable as well


Regards,

Joachim Fritschi


[1] https://wiki.jasig.org/display/CASC/phpCAS
[2] http://downloads.jasig.org/cas-clients/php/1.1.2/
[3] https://issues.jasig.org/browse/PHPCAS-61
[4] https://issues.jasig.org/browse/PHPCAS-67

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature