All, It has recently come to our attention of an HTML Injection Vulnerability in the JSP pages that are used to generate the validation success/failure responses. We've fixed this in the latest CAS 3.1.2 and CAS 3.2 RC5 releases. We encourage everyone to move to these releases.
If you would like a hot fix for production without moving to these please copy the JSP pages located in the view/jsp/protocol/2.0 directory into your production server (as long as you have JSP recompilation on, it should be automatically picked up). You can either grab the files from one of the releases or from here: http://developer.jasig.org/source/browse/jasigsvn/cas3/tags/cas-3-1-2-final/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/2.0 Details: The offending JSP pages were not properly HTML escaping the ticket parameter received from the HTML request when echoing it back on an error. In addition, the pages, by default, were being sent back as text/html (which causes the browser to render the response as HTML). Fix: The JSP pages now properly escape any input. In addition, they also are now sent back as text/plain instead of text/html Please note that neither CAS 2.x or RubyCAS are affected. RubyCAS properly escapes the characters. CAS 2.x sends the response as text/plain. Thanks to: Thanks to Daniel Almeida from Instituto Superior Técnico, Portugal for reporting this. Thanks -Scott -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ cas-dev mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas-dev
