CVE-2022-39369
Service Hostname Discovery Exploitation in phpCAS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.
phpCAS es una librería de autenticación que permite que las aplicaciones PHP autentiquen fácilmente a los usuarios a través del servidor Central Authentication Service (CAS). La librería phpCAS utiliza encabezados HTTP para determinar la URL del servicio utilizada para validar tickets. Esto permite a un atacante controlar el encabezado del host y utilizar un ticket válido otorgado para cualquier servicio autorizado en el mismo ámbito SSO (servidor CAS) para autenticarse en el servicio protegido por phpCAS. Dependiendo de la configuración del registro de servicios del servidor CAS, en el peor de los casos, esta puede ser cualquier otra URL de servicio (si las URL permitidas están configuradas en "^(https)://.*") o puede estar estrictamente limitada a servicios conocidos y autorizados. en la misma federación SSO si se aplica la validación adecuada del servicio URL. Esta vulnerabilidad puede permitir que un atacante obtenga acceso a la cuenta de una víctima en un servicio CASified vulnerable sin el conocimiento de la víctima, cuando la víctima visita el sitio web del atacante mientras está conectado al mismo servidor CAS. phpCAS 1.6.0 es una actualización de versión importante que comienza a imponer la validación de descubrimiento de URL del servicio, porque desafortunadamente no existe una configuración predeterminada 100% segura para usar en PHP. A partir de esta versión, es necesario pasar un argumento de URL base de servicio adicional al construir la clase de cliente. Para obtener más información, consulte el documento de actualización. Esta vulnerabilidad solo afecta al cliente CAS contra el que protege la librería phpCAS. El comportamiento problemático de descubrimiento de URL del servicio en phpCAS < 1.6.0 solo se deshabilitará y, por lo tanto, usted no se verá afectado si la configuración de phpCAS tiene la siguiente configuración: 1. Se llama a `phpCAS::setUrl()` (un recordatorio de que debe pasar la URL completa). de la página actual, en lugar de la URL base de su servicio), y 2. Se llama a `phpCAS::setCallbackURL()`, solo cuando el modo proxy está habilitado. 3. Si la entrada del encabezado HTTP de PHP `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` se sanitiza antes de llegar a PHP (por un proxy inverso, por ejemplo), esta vulnerabilidad tampoco le afectará. Si el registro de servicios de su servidor CAS está configurado para permitir solo URL de servicios conocidos y confiables, la gravedad de la vulnerabilidad se reduce sustancialmente ya que un atacante debe tener el control de otro servicio autorizado. De lo contrario, debe actualizar la librería para obtener un comportamiento de descubrimiento de servicios seguro.
The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied.
This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. WordPress plugins containing a vulnerable copy of this library may or may not be vulnerable to exploitation.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-02 CVE Reserved
- 2022-11-01 CVE Published
- 2024-08-03 CVE Updated
- 2024-09-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
- CWE-1287: Improper Validation of Specified Type of Input
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64 | Mitigation | |
| https://lists.debian.org/debian-lts-announce/2023/07/msg00007.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apereo Search vendor "Apereo" | Phpcas Search vendor "Apereo" for product "Phpcas" | < 1.6.0 Search vendor "Apereo" for product "Phpcas" and version " < 1.6.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||