Uploaded image for project: 'phpCAS Client'
  1. phpCAS Client
  2. PHPCAS-52

XSS vulnerability. URL on the error page is not sanatized

    Details

    • Type: Security Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0, 1.0.1, 1.1.0
    • Fix Version/s: 1.1.0
    • Labels:
      None

      Description

      The phpCAS library does not properly sanatize the url submitted before displaying it on the error page. The attacker can insert scripts or other malicious content on the error page if a bogus ticket is included in the url.

      The vulnerability was found by a drupal user and forwarded by the Drupal phpCAS module maintainer David Metzler from The Evergreen State College.

        Attachments

          Activity

            People

            • Assignee:
              fritschi Joachim Fritschi
              Reporter:
              fritschi Joachim Fritschi
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: