View online: https://drupal.org/node/2231663
* Advisory ID: DRUPAL-SA-CONTRIB-2014-035 * Project: CAS [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-April-02 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass
-------- DESCRIPTION ---------------------------------------------------------
The cas_server module of the CAS project implements the CAS 1.0 and 2.0 specifications for providing a single sign-on to relying party web application (the "service" in CAS specs). The CAS server creates single-use tickets when serving a user's login request, which is subsequently deleted when the relying party validates the ticket.
However, this successful validation will be cached if the Drupal page cache is enabled, and subsequent identical validations can be processed even though the single-use ticket has been deleted.
A user's session on a relying party can be therefore be re-initialized via a session replay attack involving the cas_server module, even when the user deletes cookies and server-side sessions for both sites.
This would require an attacker to sniff the service URL containing the ticket ID, such as with a non-SSL relying party, by protocol downgrade, or by accessing an earlier user's web activity on a public computer.
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED ---------------------------------------------------
* CAS Server 6.x-2.x versions prior to 6.x-3.3. * CAS Server 7.x-2.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed CAS [4] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the CAS Server module for Drupal 6.x, upgrade to CAS Server 6.x-3.3 [5] * If you use the CAS Server module for Drupal 7.x, upgrade to CAS Server 7.x-1.3 [6]
Also see the CAS [7] project page.
-------- REPORTED BY ---------------------------------------------------------
* Eric Searcy [8] * Greg Knaddison [9] of the Drupal Security Team
-------- FIXED BY ------------------------------------------------------------
* Eric Searcy [10] * Tim Yale [11], the module maintainer * Greg Knaddison [12] of the Drupal Security Team
-------- COORDINATED BY ------------------------------------------------------
* Greg Knaddison [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17].
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [18]
[1] http://drupal.org/project/cas [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/cas [5] https://drupal.org/node/2231659 [6] https://drupal.org/node/2231657 [7] http://drupal.org/project/cas [8] http://drupal.org/user/137284 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/137284 [11] http://drupal.org/user/2413764 [12] http://drupal.org/user/36762 [13] http://drupal.org/user/36762 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration [18] https://twitter.com/drupalsecurity