Dom, [
Without the same registry a ticket issued from Evil.eve.com wouldn't be found at all in Bobs.files.com ticket registry and therefore fail. ] What makes Evil.eve.com and Files.bob.com use different ticket registries? Is it the value of the service request parameter presented on ticket validation? And so if Files.bob.com is duped into validating the ticket using a request parameter "service" value of Evil.eve.com/login , will Files.bob.com in fact be validating the ticket using the same registry as that into which it was issued? Now, if the CAS server authenticates the service on ticket validation, e.g. by requiring a client-side SSL certificate on the request authenticating the requesting service, then the exploit is blocked, since in that case effectively the CAS server is helping Files.bob.com not to be confused about its identity -- in traditional CAS services convey their identity to CAS to protect themselves from accidentally validating a ticket intended for another application by setting a request parameter; requiring in addition or instead a SSL authentication of the request amounts to supplementing the service parameter. In principle, one could think of this case in terms of a heavier-duty version of setting the serverName parameter in CAS client configuration in this respect -- instead of setting that simple string, the web application configurer now supplies a whole SSL certificate conveying that string. (Authentication of services validating tickets buys other advantages, of course, but in the specific respect of this exploit, in principle it merely amounts to supplying this bit of configuration in another way.) It is true that the exploit relies on both the Adversary's web application and the target web application using the same CAS instance. > However, in your example both Bob and Eve applications are backed by the same > ticket registry. Without the same registry a ticket issued from Evil.eve.com > wouldn't be found at all in Bobs.files.com ticket registry and therefore > fail. > > If all services backed by the same registry are "friends" is this still an > security issue. > > I would like to add my appreciation for the time you have spend on this. > > Thanks again. > > Regards, > > Dom > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
