|
Message-ID: <4F53968E.3040701@freenet.de> Date: Sun, 04 Mar 2012 17:21:34 +0100 From: Joachim Fritschi <jfritschi@...enet.de> To: oss-security@...ts.openwall.com Subject: CVE Requests for phpCAS Hi, 2 security vulnerabilities were discovered in the phpCAS library from the jasig project. In the default configuration a phpCAS protected application allowed any other cas service with proxy authorization and valid user credentials to proxy any other phpCAS applications in the same SSO realm. This is a security flaw since individual applications should check whether another application is actually authorized to proxy for users in this particular application. This issue can be found on the issue tracker and a fix has already been committed: https://issues.jasig.org/browse/PHPCAS-69 In the default debug configuration a debug log was stored without proper protection in /tmp and in a proxy configuration session data was stored without proper protection in /tmp. This both could leak private user attributes and sensitive login tokens during the login procedure to other user on the webserver. This issue can be found on the issue tracker and a fix has already been committed: https://github.com/Jasig/phpCAS/issues/22 Could you please allocate two CVE identifiers for these issues? Thanks, Joachim
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.