[cas-dev] Security Issue
Trenton D. Adams
trenta at athabascau.ca
Wed Mar 12 22:04:11 EDT 2008
Oh, I'm a bit of a dunce actually. I was thinking that I could intercept the CAS cookie when connecting to a service, but I can't because it won't be sent to the server unless you are on the CAS context. I was playing with domain based cookies on a test application at the time, so my head was wrapped around being able to get the cookies on all the servers. Which made me *assume* that the CAS cookie would do the same. Silly me. :P Sorry for the confusion.
----- Original Message -----
From: "Scott Battaglia" <scott.battaglia at gmail.com>
To: "Mailing list for CAS developers" <cas-dev at tp.its.yale.edu>
Sent: Wednesday, March 12, 2008 6:36:43 PM (GMT-0700) America/Denver
Subject: Re: [cas-dev] Security Issue
Trenton,
First, thanks for asking this question. Second, please be careful when you label subjects "Security Issue" :-) If you feel you've found a real vulnerability/issue, please contact the jasig security mailing list:
http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group
That said, all documentation about deploying CAS always states that you should be running CAS over HTTPS. You should NEVER run CAS in a production system with anything less than HTTPS. Doing so would jeopardize the usernames and passwords being submitted to the CAS system.
However, in the event that you do run CAS over HTTP, its default set up (in both CAS 2 and CAS3) is to only send back the CAS cookie over HTTPS. It should not be sending it back to the browser if CAS is accessed via HTTP only. If you have an unmodified CAS2 instance sending back the cookie over HTTP, then that's a problem.
Thanks
-Scott
On Wed, Mar 12, 2008 at 7:54 PM, Trenton D. Adams < trenta at athabascau.ca > wrote:
Hi Guys,
I'm using CAS 2, not 3.
Wouldn't it be a little better to use CASTGC cookies that only work with
the original IP? As it is, if someone were to use regular HTTP (vs
HTTPS), I could hack into their account after I have the CASTGC cookie.
After realizing that CAS code doesn't do this, I decided to copy the
cookie over to another machine, with a different IP, and use it there.
It worked just fine, and CAS thought I was authenticated, giving me the
"You have been logged in successfully" page.
Tomcat's default behaviour is to only allow the original IP access to
the session. Why not use a tomcat session, with a session attribute
that has the value of the TGC?
Granted that this isn't a problem when using SSL.
Thanks.
--
Trenton D. Adams
Systems Analyst/Web Software Engineer
Navy Penguins at your service!
Athabasca University
(780) 675-6195
:wq!
__
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
_______________________________________________
cas-dev mailing list
cas-dev at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas-dev
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080312/9033801b/attachment.html
More information about the cas-dev
mailing list