php-pear-CAS: multiple vulnerabilities
| Package(s): | php-pear-CAS | CVE #(s): | CVE-2012-1104 CVE-2012-1105 | ||||||||
| Created: | April 2, 2012 | Updated: | April 4, 2012 | ||||||||
| Description: | From the Red Hat bugzilla [1], [2]
1) A security flaw was found in the way phpCAS managed proxying of services. In the detault configuration an phpCAS protected application allowed to proxy any other CAS service with proxy authorization and valid user credentials in the same SSO realm to other phpCAS applications. The application, CAS services has been proxied to, could use this flaw to in unauthorized way to use these CAS services. 2) An information disclosure flaw was found in the way phpCAS, the Central Authentication Service client library in PHP language, performed archiving of debug logging file in the default debug configuration and archiving of proxy configuration session data. Both of the files were archived in /tmp directory in files with unsafe permissions. A local attacker could use this flaw to obtain private user attributes and sensitive login tokens by inspecting content of those archived files. | ||||||||||
| Alerts: |
| ||||||||||