Andrew, >From my knowledge, there are no current known vulnerabilities in a properly configured environment (SSL, minimal services running, etc.). Deployers should be aware of changes that they make to the configurations and JSPs that may affect the security of the application (i.e. not securely writing user content to a JSP page or not validating user input, or changing the cookie security).
Login Tokens were added multiple revisions ago (in the CAS 2.x code) to account for browsers that did not properly handle the back button and allow one to resubmit credentials. Similarly the CAS 2.x code also used JavaScript for redirection to handle a Safari issue. The Login Tokens still exist. However, it has been determined that more recent versions of Safari do not exhibit this issue and standard HTTP redirects are now issued. Andrew Petro may be able to speak more about any vulnerabilities and issues discovered during the development of CAS 1/2. CAS 3 and CAS 3.1 built upon the knowledge gained in the development of CAS 2 so we handle anything that they discovered. -Scott On 10/24/07, Andrew R Feller <[EMAIL PROTECTED]> wrote: > > While working with our technical services group to transition CAS from > its research and test phase to production, the technical services manager > was concerned about past and known CAS security issues/vulnerabilities. > Aside from running unnecessary services and not requiring all communication > through HTTPS, what past and known CAS security issues are there? > > > > Thanks, > > > > Andrew R Feller, Analyst > > Subversion Administrator > > University Information Systems > > Louisiana State University > > [EMAIL PROTECTED] > > (office) 225.578.3737 > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
