Source: php-cas Version: 1.3.8-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.3.6-1
Hi, The following vulnerability was published for php-cas. CVE-2022-39369[0]: | phpCAS is an authentication library that allows PHP applications to | easily authenticate users via a Central Authentication Service (CAS) | server. The phpCAS library uses HTTP headers to determine the service | URL used to validate tickets. This allows an attacker to control the | host header and use a valid ticket granted for any authorized service | in the same SSO realm (CAS server) to authenticate to the service | protected by phpCAS. Depending on the settings of the CAS server | service registry in worst case this may be any other service URL (if | the allowed URLs are configured to "^(https)://.*") or may be strictly | limited to known and authorized services in the same SSO federation if | proper URL service validation is applied. This vulnerability may allow | an attacker to gain access to a victim's account on a vulnerable | CASified service without victim's knowledge, when the victim visits | attacker's website while being logged in to the same CAS server. | phpCAS 1.6.0 is a major version upgrade that starts enforcing service | URL discovery validation, because there is unfortunately no 100% safe | default config to use in PHP. Starting this version, it is required to | pass in an additional service base URL argument when constructing the | client class. For more information, please refer to the upgrading doc. | This vulnerability only impacts the CAS client that the phpCAS library | protects against. The problematic service URL discovery behavior in | phpCAS < 1.6.0 will only be disabled, and thus you are not impacted | from it, if the phpCAS configuration has the following setup: 1. | `phpCAS::setUrl()` is called (a reminder that you have to pass in the | full URL of the current page, rather than your service base URL), and | 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is | enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, | `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded- | Protocol` is sanitized before reaching PHP (by a reverse proxy, for | example), you will not be impacted by this vulnerability either. If | your CAS server service registry is configured to only allow known and | trusted service URLs the severity of the vulnerability is reduced | substantially in its severity since an attacker must be in control of | another authorized service. Otherwise, you should upgrade the library | to get the safe service discovery behavior. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39369 https://www.cve.org/CVERecord?id=CVE-2022-39369 [1] https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64 Regards, Salvatore