Date: Sun, 04 Mar 2012 20:24:11 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Joachim Fritschi <jfritschi@...enet.de> Subject: Re: CVE Requests for phpCAS On 03/04/2012 09:21 AM, Joachim Fritschi wrote: > Hi, > > 2 security vulnerabilities were discovered in the phpCAS library from > the jasig project. > > In the default configuration a phpCAS protected application allowed any > other cas service with proxy authorization and valid user credentials to > proxy any other phpCAS applications in the same SSO realm. > This is a security flaw since individual applications should check > whether another application is actually authorized to proxy for users in > this particular application. > This issue can be found on the issue tracker and a fix has already been > committed: > https://issues.jasig.org/browse/PHPCAS-69 Please use CVE-2012-1104 for this issue. > In the default debug configuration a debug log was stored without proper > protection in /tmp and in a proxy configuration session data was stored > without proper protection in /tmp. This both could leak private user > attributes and sensitive login tokens during the login procedure to > other user on the webserver. > This issue can be found on the issue tracker and a fix has already been > committed: > https://github.com/Jasig/phpCAS/issues/22 Please use CVE-2012-1105 for this issue. > Could you please allocate two CVE identifiers for these issues? > > Thanks, > > Joachim -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ