oss-sec mailing list archives
CVE Requests for phpCAS
From: Joachim Fritschi <jfritschi () freenet de>
Date: Sun, 04 Mar 2012 17:21:34 +0100
Hi,2 security vulnerabilities were discovered in the phpCAS library from the jasig project.
In the default configuration a phpCAS protected application allowed any other cas service with proxy authorization and valid user credentials to proxy any other phpCAS applications in the same SSO realm. This is a security flaw since individual applications should check whether another application is actually authorized to proxy for users in this particular application. This issue can be found on the issue tracker and a fix has already been committed:
https://issues.jasig.org/browse/PHPCAS-69In the default debug configuration a debug log was stored without proper protection in /tmp and in a proxy configuration session data was stored without proper protection in /tmp. This both could leak private user attributes and sensitive login tokens during the login procedure to other user on the webserver. This issue can be found on the issue tracker and a fix has already been committed:
https://github.com/Jasig/phpCAS/issues/22 Could you please allocate two CVE identifiers for these issues? Thanks, Joachim
Current thread:
- CVE Requests for phpCAS Joachim Fritschi (Mar 04)
- Re: CVE Requests for phpCAS Kurt Seifried (Mar 04)