Skip Menu |

This queue is for tickets about the Apache-AuthCAS CPAN distribution.

Report information
The Basics
Id: 32326
Status: resolved
Priority: 0/
Queue: Apache-AuthCAS
People
Owner: Nobody in particular
Requestors: sebastien.barre [...] univ-paris-diderot.fr
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 0.4
Fixed in: (no value)

History Show all quoted text
  Tue Jan 15 07:40:41 2008 sebastien.barre [...] univ-paris-diderot.fr - Ticket created
Subject: Session ID possible SQL Injection Patch
Just uploading the file, so the patches are centralized. Hardening suggested by http://www.securityfocus.com/bid/26762 The regex is restricted according to the 'create_session_id' function (Line 1349)
Subject: AuthCAS.sid_fix.patch
--- AuthCAS.pm 2008-01-14 14:00:33.000000000 +0100 +++ AuthCAS.pm.patched 2008-01-14 14:00:33.000000000 +0100 @@ -513,7 +513,8 @@ Apache->warn("$$: CAS: authenticate(): cookie found: '$cookie'") unless ($LOG_LEVEL < $LOG_DEBUG); # get session id from the cookie - $cookie =~ /.*$SESSION_COOKIE_NAME=([^;]+)(\s*;.*|\s*$)/; + # FIXED according to create_session_id function, because of http://www.securityfocus.com/bid/26762 + $cookie =~ /.*$SESSION_COOKIE_NAME=([\w\.\/]{32})(\s*;.*|\s*$)/; $sid = $1 || ""; if (!$sid) { # no sessions id in cookie?
  Sun Mar 23 19:07:17 2008 apudcastro [...] entwash.org - Correspondence added
the fix was a little more extensive than the submitted patch. all parameters to SQL queries have been switched to using bind params instead, so SQL injection isn't possible, no matter what the value
  Sun Mar 23 19:07:18 2008 The RT System itself - Status changed from 'new' to 'open'
  Sun Mar 23 19:07:19 2008 apudcastro [...] entwash.org - Status changed from 'open' to 'resolved'