A flaw in legacy releases of cosign make it possible for an attacker to trick a victim into registering a service cookie with the victim's weblogin cookie on behalf of the attacker, allowing the attacker to pose as the victim for that particular service. The flaw affects all versions of cosign up to and including 2.1.1. cosign 3.0 was released to address this flaw.
Details of the vulnerability can be found at: http://weblogin.org/cosign-vuln-2009-002.txt Organizations running cosign should upgrade to the latest release of cosign 3.0 immediately. cosign 3.0 may be downloaded here: http://weblogin.org/download.html The University of Michigan posted a migration page to assist local web administrators during the transition to cosign 3.0. http://www.itcs.umich.edu/itcsdocs/s4364/ andrew ------------------------------------------------------------------------------ _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
