[Micronet] Fwd: phpCAS security vulnerabilities (all versions prior to 1.1.2)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Fwd: phpCAS security vulnerabilities (all versions prior to 1.1.2)

Paul Fisher-2
The attached email was previously sent to the calnet-developers list.
I was asked to resend the email to Micronet.  Details below.

Paul

Fedora shipped a new version of phpCAS yesterday.  Anyone running
phpCAS with campus apps should upgrade to version 1.1.2 if they
haven't done so already.

 From the phpCAS website:

     All phpCAS versions before 1.1.2 have 2 security issues
     CVE-2010-2795, CVE-2010-2796. One of them is a serious session
     hijacking possibilty. Please upgrade to the latest version.

CVE summaries:

     CVE-2010-2795: phpCAS before 1.1.2 allows remote authenticated
     users to hijack sessions via a query string containing a crafted
     ticket value.
     <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2795>

     CVE-2010-2796: Cross-site scripting (XSS) vulnerability in phpCAS
     before 1.1.2, when proxy mode is enabled, allows remote attackers
     to inject arbitrary web script or HTML via a callback URL.
     <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2796>

Paul

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.