OpenSAML (which CAS uses) was patched for this over a year ago. http://shibboleth.net/community/advisories/secadv_20110725.txt
There was some recent (within 3 months) discussion of this very same topic. Seems that the conference proceedings are a bit behind the actual papers being released. Other discussions on this exact paper found on shib list and perhaps saml list as well .. can't remember where. ------ thanks kevin.foote On Mon, 29 Oct 2012, Rene Schrieken wrote: -> Hi, -> -> On a recent security symposium -> https://www.usenix.org/conference/usenixsecurity12/breaking-saml-be-whoever-you-want-be -> an attack vector was shown for systems (excluding CAS) relying on saml -> tokens. -> -> in a presentation and pdf 14 sso/saml based frameworks have been evaluated -> for that specific attack vector. I was wondering if the presented attack -> vector is also valid for the saml protocol as used by CAS. If this -> vulnerability is present in current setups can we elaborate on measures to -> mitigate this possbile threat in current production systems? -> -> René -> -> -- -> You are currently subscribed to [email protected] as: [email protected] -> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
