Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 04 Mar 2012 17:21:34 +0100
From: Joachim Fritschi <jfritschi@...enet.de>
To: oss-security@...ts.openwall.com
Subject: CVE Requests for phpCAS

Hi,

2 security vulnerabilities were discovered in the phpCAS library from 
the jasig project.

In the default configuration a phpCAS protected application allowed any 
other cas service with proxy authorization and valid user credentials to 
proxy any other phpCAS applications in the same SSO realm.
This is a security flaw since individual applications should check 
whether another application is actually authorized to proxy for users in 
this particular application.
This issue can be found on the issue tracker and a fix has already been 
committed:
https://issues.jasig.org/browse/PHPCAS-69


In the default debug configuration a debug log was stored without proper 
protection in /tmp and in a proxy configuration session data was stored 
without proper protection in /tmp. This both could leak private user 
attributes and sensitive login tokens during the login procedure to 
other user on the webserver.
This issue can be found on the issue tracker and a fix has already been 
committed:
https://github.com/Jasig/phpCAS/issues/22

Could you please allocate two CVE identifiers for these issues?

Thanks,

Joachim

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.