Hi
I'm using AuthCAS for some reason, so I hardened it (patch attached).
Line 516 of AuthCAS.pm 0.4:
- $cookie =\~ /.*$SESSION_COOKIE_NAME=(*[^;]*\+)(\s*;.*\|\s*$)/;
+ $cookie =\~ /.*$SESSION_COOKIE_NAME=(*[\w\.\/]{32})(\s;.*\|\s*$)/;
The regex is restricted according to the 'create_session_id' function
(Line 1349)
Note: I added a comment on the wiki. Though it would be nice to have the
CPAN version updated (with the DBI patch as well).
Sebastien BARRE
On Mon, Dec 10, 2007 at 02:28:15PM -0500, Scott Battaglia wrote:
> I've contacted David Castro (to see if I can get him to look into it, though
> I may not have much luck since the original person didn't). Beyond that,
> unfortunately I have no control over the source code. If someone who is
> familiar with AuthCAS can confirm the issue we can update our wiki to
> recommend not using AuthCAS. I'll put a note now about it currently being
> investigated.
>
> Please note that any alleged vulnerability in AuthCAS does not affect the
> CAS Server. If vulnerabilities are ever discovered, please contact the
> JASIG security team:
> http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group
>
> Also, note that mod_auth_cas is our recommended solution for Apache
> modules. It is fully under the control of the JASIG Subversion instance and
> maintained regularly.
>
> Thanks
> -Scott
>
> On Dec 10, 2007 1:59 PM, Smith, Matt <[EMAIL PROTECTED]> wrote:
>
> > All-
> >
> > A public posting just came across my radar detailing a security
> > vulnerability in the Apache::AuthCAS client. The poster claims "...
> > there hasn't been any reply and the guys at ja-sig.org haven't been able
> > or willing to look into it ..."
> >
> > It appears the poster has not fully validated the vulnerability (a SQL
> > injection attack), but it may be worth investigation. It is already
> > publicly posted, but I won't post the direct link here until given the
> > go-ahead.
> >
> > HTH,
> > -Matt
> >
> > --
> > Matt Smith
> > [EMAIL PROTECTED]
> > University Information Technology Services (UITS)
> > University of Connecticut
> > PGP Key ID: 0xE9C5244E
> >
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
