Re: CVE Requests for phpCAS

[Kurt Seifried <kseifried () redhat com>]

On 03/04/2012 09:21 AM, Joachim Fritschi wrote:
> Hi,
>
> 2 security vulnerabilities were discovered in the phpCAS library from
> the jasig project.
>
> In the default configuration a phpCAS protected application allowed any
> other cas service with proxy authorization and valid user credentials to
> proxy any other phpCAS applications in the same SSO realm.
> This is a security flaw since individual applications should check
> whether another application is actually authorized to proxy for users in
> this particular application.
> This issue can be found on the issue tracker and a fix has already been
> committed:
> https://issues.jasig.org/browse/PHPCAS-69

Please use CVE-2012-1104 for this issue.

> In the default debug configuration a debug log was stored without proper
> protection in /tmp and in a proxy configuration session data was stored
> without proper protection in /tmp. This both could leak private user
> attributes and sensitive login tokens during the login procedure to
> other user on the webserver.
> This issue can be found on the issue tracker and a fix has already been
> committed:
> https://github.com/Jasig/phpCAS/issues/22

Please use CVE-2012-1105 for this issue.


> Could you please allocate two CVE identifiers for these issues?
>
> Thanks,
>
> Joachim


-- 
Kurt Seifried Red Hat Security Response Team (SRT)