Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE Requests for phpCAS
From: Joachim Fritschi <jfritschi () freenet de>
Date: Sun, 04 Mar 2012 17:21:34 +0100

Hi,

2 security vulnerabilities were discovered in the phpCAS library from the jasig project.

In the default configuration a phpCAS protected application allowed any other cas service with proxy authorization and valid user credentials to proxy any other phpCAS applications in the same SSO realm. This is a security flaw since individual applications should check whether another application is actually authorized to proxy for users in this particular application. This issue can be found on the issue tracker and a fix has already been committed:
https://issues.jasig.org/browse/PHPCAS-69


In the default debug configuration a debug log was stored without proper protection in /tmp and in a proxy configuration session data was stored without proper protection in /tmp. This both could leak private user attributes and sensitive login tokens during the login procedure to other user on the webserver. This issue can be found on the issue tracker and a fix has already been committed:
https://github.com/Jasig/phpCAS/issues/22

Could you please allocate two CVE identifiers for these issues?

Thanks,

Joachim


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault