[cas-dev] Security Issue

Scott Battaglia scott.battaglia at gmail.com
Wed Mar 12 20:36:43 EDT 2008 

Trenton,

First, thanks for asking this question.  Second, please be careful when you
label subjects "Security Issue" :-)  If you feel you've found a real
vulnerability/issue, please contact the jasig security mailing list:

http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group

That said, all documentation about deploying CAS always states that you
should be running CAS over HTTPS. You should NEVER run CAS in a production
system with anything less than HTTPS.  Doing so would jeopardize the
usernames and passwords being submitted to the CAS system.

However, in the event that you do run CAS over HTTP, its default set up (in
both CAS 2 and CAS3) is to only send back the CAS cookie over HTTPS.  It
should not be sending it back to the browser if CAS is accessed via HTTP
only.  If you have an unmodified CAS2 instance sending back the cookie over
HTTP, then that's a problem.

Thanks
-Scott

On Wed, Mar 12, 2008 at 7:54 PM, Trenton D. Adams <trenta at athabascau.ca>
wrote:

> Hi Guys,
>
> I'm using CAS 2, not 3.
>
> Wouldn't it be a little better to use CASTGC cookies that only work with
> the original IP?  As it is, if someone were to use regular HTTP (vs
> HTTPS), I could hack into their account after I have the CASTGC cookie.
> After realizing that CAS code doesn't do this, I decided to copy the
> cookie over to another machine, with a different IP, and use it there.
> It worked just fine, and CAS thought I was authenticated, giving me the
> "You have been logged in successfully" page.
>
> Tomcat's default behaviour is to only allow the original IP access to
> the session.  Why not use a tomcat session, with a session attribute
> that has the value of the TGC?
>
> Granted that this isn't a problem when using SSL.
>
> Thanks.
>
> --
> Trenton D. Adams
> Systems Analyst/Web Software Engineer
> Navy Penguins at your service!
> Athabasca University
> (780) 675-6195
> :wq!
>
>
> __
>    This communication is intended for the use of the recipient to whom it
>    is addressed, and may contain confidential, personal, and or privileged
>    information. Please contact us immediately if you are not the intended
>    recipient of this communication, and do not copy, distribute, or take
>    action relying on it. Any communications received in error, or
>    subsequent reply, should be deleted or destroyed.
> ---
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>



-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080312/a8d0b8a2/attachment.html

More information about the cas-dev mailing list