[cas-dev] Security Issue

Wed Mar 12 22:26:20 EDT 2008

No problem...its always good to sanity check things every so often :-)

-Scott

On Wed, Mar 12, 2008 at 10:04 PM, Trenton D. Adams <trenta at athabascau.ca>
wrote:

> Oh, I'm a bit of a dunce actually.  I was thinking that I could intercept
> the CAS cookie when connecting to a service, but I can't because it won't be
> sent to the server unless you are on the CAS context.  I was playing with
> domain based cookies on a test application at the time, so my head was
> wrapped around being able to get the cookies on all the servers.  Which made
> me *assume* that the CAS cookie would do the same.  Silly me. :P  Sorry for
> the confusion.
>
>
> ----- Original Message -----
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> To: "Mailing list for CAS developers" <cas-dev at tp.its.yale.edu>
> Sent: Wednesday, March 12, 2008 6:36:43 PM (GMT-0700) America/Denver
> Subject: Re: [cas-dev] Security Issue
>
> Trenton,
>
> First, thanks for asking this question.  Second, please be careful when
> you label subjects "Security Issue" :-)  If you feel you've found a real
> vulnerability/issue, please contact the jasig security mailing list:
>
> http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group
>
> That said, all documentation about deploying CAS always states that you
> should be running CAS over HTTPS. You should NEVER run CAS in a production
> system with anything less than HTTPS.  Doing so would jeopardize the
> usernames and passwords being submitted to the CAS system.
>
> However, in the event that you do run CAS over HTTP, its default set up
> (in both CAS 2 and CAS3) is to only send back the CAS cookie over HTTPS.  It
> should not be sending it back to the browser if CAS is accessed via HTTP
> only.  If you have an unmodified CAS2 instance sending back the cookie over
> HTTP, then that's a problem.
>
> Thanks
> -Scott
>
> On Wed, Mar 12, 2008 at 7:54 PM, Trenton D. Adams <trenta at athabascau.ca>
> wrote:
>
> > Hi Guys,
> >
> > I'm using CAS 2, not 3.
> >
> > Wouldn't it be a little better to use CASTGC cookies that only work with
> > the original IP?  As it is, if someone were to use regular HTTP (vs
> > HTTPS), I could hack into their account after I have the CASTGC cookie.
> > After realizing that CAS code doesn't do this, I decided to copy the
> > cookie over to another machine, with a different IP, and use it there.
> > It worked just fine, and CAS thought I was authenticated, giving me the
> > "You have been logged in successfully" page.
> >
> > Tomcat's default behaviour is to only allow the original IP access to
> > the session.  Why not use a tomcat session, with a session attribute
> > that has the value of the TGC?
> >
> > Granted that this isn't a problem when using SSL.
> >
> > Thanks.
> >
> > --
> > Trenton D. Adams
> > Systems Analyst/Web Software Engineer
> > Navy Penguins at your service!
> > Athabasca University
> > (780) 675-6195
> > :wq!
> >
> >
> > __
> >    This communication is intended for the use of the recipient to whom
> > it
> >    is addressed, and may contain confidential, personal, and or
> > privileged
> >    information. Please contact us immediately if you are not the
> > intended
> >    recipient of this communication, and do not copy, distribute, or take
> >    action relying on it. Any communications received in error, or
> >    subsequent reply, should be deleted or destroyed.
> > ---
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>

-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080312/4a8978c1/attachment-0001.html 