phpCAS Client
  1. phpCAS Client
  2. PHPCAS-52

XSS vulnerability. URL on the error page is not sanatized

    Details

    • Type: Security Bug Security Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0, 1.0.1, 1.1.0
    • Fix Version/s: 1.1.0
    • Labels:
      None

      Description

      The phpCAS library does not properly sanatize the url submitted before displaying it on the error page. The attacker can insert scripts or other malicious content on the error page if a bogus ticket is included in the url.

      The vulnerability was found by a drupal user and forwarded by the Drupal phpCAS module maintainer David Metzler from The Evergreen State College.

      1. xss_vul-trunk.patch
        1 kB
        Joachim Fritschi
      2. xss.patch
        0.6 kB
        Joe Lencioni

        Activity

        Hide
        Joachim Fritschi added a comment -

        Patch for trunk that fixes the issue.

        The old code works on the query url to remove the ticket and returns the url without checking the parameters. The patch extracts the parameters from the GET array and sanatizes all of them by urlencoding their content.

        Show
        Joachim Fritschi added a comment - Patch for trunk that fixes the issue. The old code works on the query url to remove the ticket and returns the url without checking the parameters. The patch extracts the parameters from the GET array and sanatizes all of them by urlencoding their content.
        Hide
        Joachim Fritschi added a comment -

        Patch commited to svn and released in version 1.1.0RC7.

        Show
        Joachim Fritschi added a comment - Patch commited to svn and released in version 1.1.0RC7.
        Hide
        Joe Lencioni added a comment -

        I believe that simply wrapping the $this->getURL() call in authError() is a better solution to this vulnerability. I have attached a patch.

        Show
        Joe Lencioni added a comment - I believe that simply wrapping the $this->getURL() call in authError() is a better solution to this vulnerability. I have attached a patch.

          People

          • Assignee:
            Joachim Fritschi
            Reporter:
            Joachim Fritschi
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: