Hi, Can you elaborate? Is this a filter on client side or server side? Which filter is this?
Thx, Yan On Friday, August 19, 2016 at 4:50:53 PM UTC-4, Misagh Moayyed wrote: > > You may need to bump the CAS security filter to the latest version, and > use filters it provides to set that option. Later CAS versions I suspect do > that already by default. > > -- > Misagh > > From: Yan Zhou <[email protected]> <javascript:> > Reply: Yan Zhou <[email protected]> <javascript:> > Date: August 19, 2016 at 8:49:17 AM > To: CAS Community <[email protected]> <javascript:> > Subject: [cas-user] CAS 4.1.X Cross-Frame Scripting/Clickjacking > prevention? > > Hi, > > We are running CAS 4.1.9 overlay. Our security team, after app scanning, > has reported that CAS has a security vulnerability: Cross-frame scripting > which allows clickjacking. Basically, CAS allows itself to be framed in > another app. > > If I understand it correctly, an attacker will use iframe to frame the > login page, overlay the UI elements on Login form. User types in user > credential and click on Login, but, the credential is submitted first to > attacker's server, then, the form is submitted again to CAS server. User > gets in, he won't see difference, but the attacker already has user > credentials. > > Their solution is to X-Frame-Option header on web server, that is quite > simple, no code change. > > Is this a vulnerability? It sounds so to me. > > is there a list of things that we need to do in order secure CAS? I did > not see any mention of this on CAS Security Guide page. > > Thanks, > Yan > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/97d44090-7d5d-4a49-a345-fb880a99fa5b%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/97d44090-7d5d-4a49-a345-fb880a99fa5b%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ce109fbd-bf3a-480c-8a11-b0df9d7c7a44%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
