Apache::AuthCAS security bug
Smith, Matt
matt.smith at uconn.edu
Mon Dec 10 13:59:25 EST 2007
All-
A public posting just came across my radar detailing a security
vulnerability in the Apache::AuthCAS client. The poster claims "...
there hasn't been any reply and the guys at ja-sig.org haven't been able
or willing to look into it ..."
It appears the poster has not fully validated the vulnerability (a SQL
injection attack), but it may be worth investigation. It is already
publicly posted, but I won't post the direct link here until given the
go-ahead.
HTH,
-Matt
--
Matt Smith
matt.smith at uconn.edu
University Information Technology Services (UITS)
University of Connecticut
PGP Key ID: 0xE9C5244E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20071210/b284e9c5/attachment.bin
More information about the cas
mailing list