- Advisory ID: DRUPAL-SA-CONTRIB-2016-005
- Project: CAS (third-party module)
- Version: 7.x
- Date: 2016-February-10
- Security risk: 12/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:None/E:Proof/TD:All
- Vulnerability: Information Disclosure
Description
This module enables you to use your Drupal site as a client or server for the single sign on protocol CAS. This vulnerability only affects sites that use the “CAS Server” sub module.
The module doesn’t allow an administrator to restrict which CAS clients are allowed authenticate with the Drupal CAS server. A malicious CAS client can trick your users into exposing information about themselves, including: username, uid, email, account created date, account language, and roles.
This vulnerability is mitigated by the fact that a user must click a specially formed link from the malicious site and log into your Drupal CAS server with their credentials. If the user already has an active session with your Drupal CAS server, then that step is skipped.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- CAS 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed CAS module, there is nothing you need to do.
Solution
Install the latest version:
- If you are using the CAS Server sub-module, upgrade to CAS 7.x-1.5 and configure the “white list” of accepted CAS clients that are allowed to authenticate with your CAS server.
- If you use the CAS module but NOT the server sub-module, then do nothing.
Also see the CAS project page.
Reported by
Fixed by
- Brian Osborne the module maintainer
- Robert Wohleb
- Olarin
Coordinated by
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity