MSA-17-0016: Authentication bypass vulnerability with old CAS servers

by Marina Glancy.  

Old CAS servers (3.3.5.1 or 3.4.2.1, both released Jul 21, 2010) do not escape the failure message which could be exploited with the phpCAS client library that is shipped as part of Moodle. Only fix for this issue was picked to phpCAS library in Moodle, the library will be upgraded to the latest version in the next major Moodle release. See also https://github.com/Jasig/phpCAS/issues/228


Severity/Risk:Minor
Versions affected:3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed:3.3.1, 3.2.4 and 3.1.7
Reported by:ngocdh
CVE identifier:CVE-2017-1000071 (requested by phpCAS)
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59456
Tracker issue:MDL-59456 Authentication bypass vulnerability on phpCAS library

Read more https://moodle.org/mod/forum/discuss.php?d=355557&parent=1434237