php-cas: CVE-2022-39369: Service Hostname Discovery Exploitation

Debian Bug report logs - #1023571
php-cas: CVE-2022-39369: Service Hostname Discovery Exploitation

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php-cas: CVE-2022-39369: Service Hostname Discovery Exploitation

Date: Sun, 06 Nov 2022 21:12:10 +0100

Source: php-cas
Version: 1.3.8-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.3.6-1

Hi,

The following vulnerability was published for php-cas.

CVE-2022-39369[0]:
| phpCAS is an authentication library that allows PHP applications to
| easily authenticate users via a Central Authentication Service (CAS)
| server. The phpCAS library uses HTTP headers to determine the service
| URL used to validate tickets. This allows an attacker to control the
| host header and use a valid ticket granted for any authorized service
| in the same SSO realm (CAS server) to authenticate to the service
| protected by phpCAS. Depending on the settings of the CAS server
| service registry in worst case this may be any other service URL (if
| the allowed URLs are configured to "^(https)://.*") or may be strictly
| limited to known and authorized services in the same SSO federation if
| proper URL service validation is applied. This vulnerability may allow
| an attacker to gain access to a victim's account on a vulnerable
| CASified service without victim's knowledge, when the victim visits
| attacker's website while being logged in to the same CAS server.
| phpCAS 1.6.0 is a major version upgrade that starts enforcing service
| URL discovery validation, because there is unfortunately no 100% safe
| default config to use in PHP. Starting this version, it is required to
| pass in an additional service base URL argument when constructing the
| client class. For more information, please refer to the upgrading doc.
| This vulnerability only impacts the CAS client that the phpCAS library
| protects against. The problematic service URL discovery behavior in
| phpCAS &lt; 1.6.0 will only be disabled, and thus you are not impacted
| from it, if the phpCAS configuration has the following setup: 1.
| `phpCAS::setUrl()` is called (a reminder that you have to pass in the
| full URL of the current page, rather than your service base URL), and
| 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is
| enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`,
| `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-
| Protocol` is sanitized before reaching PHP (by a reverse proxy, for
| example), you will not be impacted by this vulnerability either. If
| your CAS server service registry is configured to only allow known and
| trusted service URLs the severity of the vulnerability is reduced
| substantially in its severity since an attacker must be in control of
| another authorized service. Otherwise, you should upgrade the library
| to get the safe service discovery behavior.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-39369
    https://www.cve.org/CVERecord?id=CVE-2022-39369
[1] https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64

Regards,
Salvatore

Message #12 received at 1023571-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1023571-close@bugs.debian.org

Subject: Bug#1023571: fixed in php-cas 1.6.0-1

Date: Mon, 07 Nov 2022 08:34:37 +0000

Source: php-cas
Source-Version: 1.6.0-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
php-cas, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1023571@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated php-cas package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 07 Nov 2022 08:40:18 +0100
Source: php-cas
Architecture: source
Version: 1.6.0-1
Distribution: unstable
Urgency: medium
Maintainer: Yadd <yadd@debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1023571
Changes:
 php-cas (1.6.0-1) unstable; urgency=medium
 .
   [ Debian Janitor ]
   * Bump debhelper from old 12 to 13.
   * Set field Upstream-Contact in debian/copyright.
   * Set upstream metadata fields: Bug-Submit.
   * Remove obsolete fields Contact, Name from debian/upstream/metadata (already
     present in machine-readable debian/copyright).
   * Update standards version to 4.5.1, no changes needed.
 .
   [ Yadd ]
   * Fix debian/watch
   * New upstream release (Closes: #1023571, CVE-2022-39369)
   * Update standards version to 4.6.1, no changes needed.
Checksums-Sha1: 
 62aa6456de7255c882a65d78f825fa20575c7367 1838 php-cas_1.6.0-1.dsc
 8f79f97c5a1dd710918a8fd681f5abe27d7da881 75385 php-cas_1.6.0.orig.tar.gz
 1e0c091a40e8815f8e41bbf0eeb30404013dea3b 4196 php-cas_1.6.0-1.debian.tar.xz
Checksums-Sha256: 
 655383bd3e483c8de6b92c4fa7d8030b94495ce98e34f9b751332ff44e12e638 1838 php-cas_1.6.0-1.dsc
 11bdd41c7a4d3c90c8039588763ceac0633bc4732e1e04664f816a7d8a3cc2ff 75385 php-cas_1.6.0.orig.tar.gz
 41dfbcd8db2988614c4b2d75bc0919112f267d3dab1df5bc197bbfd667798432 4196 php-cas_1.6.0-1.debian.tar.xz
Files: 
 166b03c689d57f9c684b0c874b1fdfac 1838 php optional php-cas_1.6.0-1.dsc
 71182d1c0dc75509a8545264f71e1fbe 75385 php optional php-cas_1.6.0.orig.tar.gz
 208a68ca64cd6de08263b387d8fd4b87 4196 php optional php-cas_1.6.0-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmNotvoACgkQ9tdMp8mZ
7ukW7w//fhk8vRAURZGU5+ybt/UAnMQ5AG19wSREmZfu8sWtddraRKT03nhcnw78
yOMhTuDLUhfAJrSZCLvu4h4XK5hpHzXrm9kjskEv3vpLf/Uq2PVT1QXwzgJWuItu
vVHPp8M1o5pHyZC4wJE78NhkFDhBaTqy3JpJJoKF/a2Si1c+AkAMOsDDABbj1RAr
1sa4BAqsxVx7D7yXO4X1j4gZXiL7OgBqRY+DkpTrCZG3PMeaqQGWvyTUyC2dZSFa
EUITCCRHbGySU65PL4Q5D4PjoYVN+wJ9DWsxOlIf+b3rteCeYogTTsTytW+14edy
dRNXv8Ww5tvp6bpVuK79LiLWhvdI2/eYy3ojxR6bH74L6WqPr5zO2iMiAvdQMFFI
ehewppEThEHswyyPjSVfxqW592C41o1G1D0RtpqY1G4KjG5TIDZAzWrcGbMh9FqV
QZJ6fsK0PZiErd2b4+mFUTO7qkyBOcg5Q+mHuXmu1vgXd9z9ivcAdc+0wwvV4xR3
wFIqIN3AkL/z7ZmOEDy8RvVsZZ+bpMF5199V8ZaO/uC88AVVJ7QhhrSJMsfEpAQZ
BWbCIpUlkdXrnRkE98O60b85ClOkMcIjoj8i8v4UrnVY7Nczv6WhxmuWwxIK2jml
zv8LNx54ZfjupJFMkE4J8nUKBZ1AuH8iq8nS7CE20FXft1kMC50=
=ZnEH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.