[IT-SecNots] [Security-news] CAS - Moderately Critical - Information Disclosure - DRUPAL-SA-CONTRIB-2016-005

[security-news AT drupal.org]

View online: https://www.drupal.org/node/2666448

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
   * Project: CAS [1]     (third-party module)
   * Version: 7.x
   * Date: 2016-February-10
   * Security risk: 12/25 ( Moderately Critical)
     AC:Basic/A:User/CI:Some/II:None/E:Proof/TD:All [2]
   * Vulnerability: Information Disclosure

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to use your Drupal site as a client or server for the
single sign on protocol CAS. This vulnerability only affects sites that use
the "CAS Server" sub module.

The module doesn't allow an administrator to restrict which CAS clients are
allowed authenticate with the Drupal CAS server. A malicious CAS client can
trick your users into exposing information about themselves, including:
username, uid, email, account created date, account language, and roles.

This vulnerability is mitigated by the fact that a user must click a
specially formed link from the malicious site and log into your Drupal CAS
server with their credentials. If the user already has an active session with
your Drupal CAS server, then that step is skipped.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * CAS 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed CAS [4]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you are using the CAS Server sub-module, upgrade to CAS 7.x-1.5 [5] 
and
     configure the "white list" of accepted CAS clients that are allowed to
     authenticate with your CAS server.
   * If you use the CAS module but NOT the server sub-module, then do nothing.

Also see the CAS [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * GUSTAV0 [7]

-------- FIXED BY
------------------------------------------------------------

   * Brian Osborne [8] the module maintainer
   * Robert Wohleb [9]
   * Olarin [10]

-------- COORDINATED BY
------------------------------------------------------

   * Michael Hess [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and  securing your site [15].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]


[1] https://www.drupal.org/project/cas
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/cas
[5] https://drupal.org/node/2665642
[6] https://www.drupal.org/project/cas
[7] https://www.drupal.org/u/gustav0
[8] https://www.drupal.org/user/XXXUID
[9] https://www.drupal.org/u/rwohleb
[10] https://www.drupal.org/u/olarin
[11] https://www.drupal.org/u/mlhess
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news