Bug 646659 (CVE-2010-3690, CVE-2010-3691, CVE-2010-3692)

Summary: CVE-2010-3690 CVE-2010-3691 CVE-2010-3692 phpCAS: multiple vulnerabilities fixes in 1.1.3
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-08 18:40:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 620759    
Bug Blocks:    

Description Vincent Danen 2010-10-25 21:07:19 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3690 to
the following vulnerability:

Name: CVE-2010-3690
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3690
Assigned: 20101001
Reference: MLIST:[oss-security] 20100929 CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/09/29/6
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/2
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/5
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82
Reference: CONFIRM: https://developer.jasig.org/source/changelog/jasigsvn?cs=21538
Reference: CONFIRM: https://issues.jasig.org/browse/PHPCAS-80

Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before
1.1.3, when proxy mode is enabled, allow remote attackers to inject
arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket
IOU (PGTiou) parameter to the callback function in client.php, (2)
vectors involving functions that make getCallbackURL calls, or (3)
vectors involving functions that make getURL calls.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3691 to
the following vulnerability:

Name: CVE-2010-3691
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3691
Assigned: 20101001
Reference: MLIST:[oss-security] 20100929 CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/09/29/6
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/2
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/5
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82
Reference: CONFIRM: https://developer.jasig.org/source/changelog/jasigsvn?cs=21538
Reference: CONFIRM: https://issues.jasig.org/browse/PHPCAS-80

PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is
enabled, allows local users to overwrite arbitrary files via a symlink
attack on an unspecified file.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3692 to
the following vulnerability:

Name: CVE-2010-3692
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3692
Assigned: 20101001
Reference: MLIST:[oss-security] 20100929 CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/09/29/6
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/2
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/5
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82
Reference: CONFIRM: https://developer.jasig.org/source/changelog/jasigsvn?cs=21538
Reference: CONFIRM: https://issues.jasig.org/browse/PHPCAS-80

Directory traversal vulnerability in the callback function in
client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows
remote attackers to create or overwrite arbitrary files via directory
traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter.

Comment 3 Vincent Danen 2010-10-25 21:18:26 UTC
Created glpi tracking bugs for this issue

Affects: fedora-all [bug 620759]

Comment 4 Vincent Danen 2010-10-25 21:18:29 UTC
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 646661]

Comment 5 Gwyn Ciesla 2010-10-26 14:33:49 UTC
I don't think this affects moodle in Fedora currently, since as of 1.9.9-2, we use system phpCAS.

Comment 6 Vincent Danen 2010-10-26 15:30:40 UTC
(In reply to comment #5)
> I don't think this affects moodle in Fedora currently, since as of 1.9.9-2, we
> use system phpCAS.

You're right, I see that in the spec now.  I'll fix the tracking bug then.  Thank you.  For reference:


#use system php-pear-CAS                                                                                                                                                                                
rm -rf $RPM_BUILD_ROOT/var/www/moodle/web/auth/cas
ln -s /usr/share/pear/ $RPM_BUILD_ROOT/var/www/moodle/web/auth/cas

...

* Thu Aug 19 2010 Jon Ciesla <limb> - 1.9.9-2
- Switch to system php-pear-CAS, BZ 577467, 620772.

Comment 7 Remi Collet 2010-10-27 05:21:18 UTC
GLPI also use, for a while, system phpCAS (php-pear-CAS-1.1.3 is available in the repositories).

Except in EPEL-4, but I think I'm going to remove this oudated version (not maintained, and which can't be updated because of php 5 dep.)

From spec:
> # Use system lib
> rm -rf lib/phpcas

Comment 8 Vincent Danen 2010-10-27 21:23:22 UTC
(In reply to comment #7)
> GLPI also use, for a while, system phpCAS (php-pear-CAS-1.1.3 is available in
> the repositories).
> 
> Except in EPEL-4, but I think I'm going to remove this oudated version (not
> maintained, and which can't be updated because of php 5 dep.)

And Fedora 12.  This change was made in Fedora 13.  0.72.4-2.svn11035.fc12 still has an embedded phpCAS.  In fact, the last changelog entry on that one:

* Mon Mar 22 2010 Remi Collet <> - 0.72.4-2.svn11035
- update embedded phpCAS to 1.1.0RC7 (security fix - #575906)

Comment 9 Remi Collet 2010-10-28 07:53:19 UTC
I must apologize... I was thinking I have push this update in all branch :(

glpi-0.72.4-3.svn11497 is now in f12 and f13 (updates pending)
glpi-0.71 have been retired from el4 (ticket pending)

Comment 10 Vincent Danen 2010-10-28 17:58:29 UTC
Fantastic.  Thank you, Remi.