I've contacted David Castro (to see if I can get him to look into it, though I may not have much luck since the original person didn't). Beyond that, unfortunately I have no control over the source code. If someone who is familiar with AuthCAS can confirm the issue we can update our wiki to recommend not using AuthCAS. I'll put a note now about it currently being investigated.
Please note that any alleged vulnerability in AuthCAS does not affect the CAS Server. If vulnerabilities are ever discovered, please contact the JASIG security team: http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group Also, note that mod_auth_cas is our recommended solution for Apache modules. It is fully under the control of the JASIG Subversion instance and maintained regularly. Thanks -Scott On Dec 10, 2007 1:59 PM, Smith, Matt <[EMAIL PROTECTED]> wrote: > All- > > A public posting just came across my radar detailing a security > vulnerability in the Apache::AuthCAS client. The poster claims "... > there hasn't been any reply and the guys at ja-sig.org haven't been able > or willing to look into it ..." > > It appears the poster has not fully validated the vulnerability (a SQL > injection attack), but it may be worth investigation. It is already > publicly posted, but I won't post the direct link here until given the > go-ahead. > > HTH, > -Matt > > -- > Matt Smith > [EMAIL PROTECTED] > University Information Technology Services (UITS) > University of Connecticut > PGP Key ID: 0xE9C5244E > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
