I'm not sure how to get the code updated since we don't control it. However
if you could add your patch to Wiki so its available to people, that would
be great.
Thanks
-Scott
On Jan 14, 2008 8:57 AM, Sebastien BARRE <[EMAIL PROTECTED]> wrote:
> Hi
>
> I'm using AuthCAS for some reason, so I hardened it (patch attached).
>
> Line 516 of AuthCAS.pm 0.4:
> - $cookie =\~ /.*$SESSION_COOKIE_NAME=(*[^;]*\+)(\s*;.*\|\s*$)/;
> + $cookie =\~ /.*$SESSION_COOKIE_NAME=(*[\w\.\/]{32})(\s;.*\|\s*$)/;
>
> The regex is restricted according to the 'create_session_id' function
> (Line 1349)
>
> Note: I added a comment on the wiki. Though it would be nice to have the
> CPAN version updated (with the DBI patch as well).
>
> Sebastien BARRE
>
> On Mon, Dec 10, 2007 at 02:28:15PM -0500, Scott Battaglia wrote:
> > I've contacted David Castro (to see if I can get him to look into it,
> though
> > I may not have much luck since the original person didn't). Beyond
> that,
> > unfortunately I have no control over the source code. If someone who is
> > familiar with AuthCAS can confirm the issue we can update our wiki to
> > recommend not using AuthCAS. I'll put a note now about it currently
> being
> > investigated.
> >
> > Please note that any alleged vulnerability in AuthCAS does not affect
> the
> > CAS Server. If vulnerabilities are ever discovered, please contact the
> > JASIG security team:
> > http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group
> >
> > Also, note that mod_auth_cas is our recommended solution for Apache
> > modules. It is fully under the control of the JASIG Subversion instance
> and
> > maintained regularly.
> >
> > Thanks
> > -Scott
> >
> > On Dec 10, 2007 1:59 PM, Smith, Matt <[EMAIL PROTECTED]> wrote:
> >
> > > All-
> > >
> > > A public posting just came across my radar detailing a security
> > > vulnerability in the Apache::AuthCAS client. The poster claims "...
> > > there hasn't been any reply and the guys at ja-sig.org haven't been
> able
> > > or willing to look into it ..."
> > >
> > > It appears the poster has not fully validated the vulnerability (a
> SQL
> > > injection attack), but it may be worth investigation. It is already
> > > publicly posted, but I won't post the direct link here until given the
> > > go-ahead.
> > >
> > > HTH,
> > > -Matt
> > >
> > > --
> > > Matt Smith
> > > [EMAIL PROTECTED]
> > > University Information Technology Services (UITS)
> > > University of Connecticut
> > > PGP Key ID: 0xE9C5244E
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > [email protected]
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
