-
Notifications
You must be signed in to change notification settings - Fork 398
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication bypass in validateCAS20 #228
Comments
Thanks for the report. I will have a look an verify. |
Thanks |
Looking closely into this, @jfritschi let me know if I can help. PS: if this is true, we have a zero-day with full-disclosure prior patching, it would be wise to treat this issue on a non-public tracker |
After analysis , I tend to think it's mostly a server issue. Would be nice to have some upstream filtering just in case though, that's for sure. |
Yeah Gregory as I already stated, the issue is only exploitable with a vulnerable server version. However, the final validation is in the client, and in this case phpCas interprets a failure message as a success. |
* Fixed potential auth bypass issue on old/insecure CAS servers (#228)
@ngocdh Can you verify the fix? |
@jfritschi It's good now |
@ngocdh Can you give us a reference to the original CAS server side issue? Do you know which versions were affected? |
@jfritschi I don't have any reference to the server side issue and how it was raised. I know that 2.x is vulnerable, not sure until which version. |
This CAS server issue was probably fixed in this issue in 2010: |
@jfritschi you're probably right. They didn't see the risk of authentication bypass though. Thanks for the information. |
Hello, Moodle is shipped with CAS library and we picked just this fix into stable supported versions. We will upgrade CAS to 1.3.5 in the next major release (3.4 scheduled for November 2017), we normally don't do full upgrade of third party libraries in the stable versions. I saw that you've included this fix in your release notes as "Security fixes" but I did not find a CVE for it. Do you have CVE for this fix? Thanks in advance |
Hi @marinaglancy , Here you are: CVE-2017-1000071. Ngoc |
@ngocdh This does not look like a valid CVE? Are you sure? |
Yes @jfritschi, information about it can be found here: https://github.com/distributedweaknessfiling/DWF-CVE-Database/tree/master/2017/1000xxx |
Okay, thanks for clearing that up! |
Hello,
I found a way to abuse failure message from old CAS server to bypass authentication, even if latest phpCAS is used.
The CAS20 validation function is like this:
A normal authenticationFailure message is like this:
In old CAS server version, it was possible to inject xml tag in the ticket so that the failure message become:
Now check the php code above and guess what happens: authentication success! The authenticationfailure elements are ignored.
Again, this is only possible when latest phpCas is configured to authenticate against old CAS server. Still, that does exist.
Some other CAS clients might also be vulnerable, I didn't verify though.
Dau Huy Ngoc from Deloitte France
The text was updated successfully, but these errors were encountered: