On Mon, Aug 11, 2014 at 12:03:48PM -0400, Marvin Addison wrote:
>[...]
>
>Mitigation
>----------------------------------------
>The CAS Service Management facility [1], which is enabled by default,
>can be used to restrict services that are permitted to use CAS (i.e.
>allowed to request tickets). Whitelisting trusted services can reduce
>the scope of attacks like scenario 1 above.
>
>The following servlet filter may provide additional defense at the CAS
>server against some forms of this attack:
>
>https://github.com/Jasig/cas-server-security-filter/tree/cas-server-security-filter-1.0.0
This CAS server security filter[*] seems to catch the Services Management app
if you edit an entry to release more that one attribute.
java.lang.IllegalArgumentException: 'allowedAttributes' parameter appears more
than once for url: /cas/services/edit.html
org.jasig.cas.security.SecurityFilter.checkParameterOnlyAppearOnce(SecurityFilter.java:79)
org.jasig.cas.security.SecurityFilter.doFilter(SecurityFilter.java:62)
Is there a way to exclude the Services Management app?
Aloha,
-baron
[*] I found I also needed to deploy an slf4j jar file as well to get this
to work (slf4j-api-1.7.7.jar was minimally required. Other versions probably
work, but that seemd to be the latest available. YMMV)
--
Baron Fujimoto <[email protected]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
