CAS 3.1.2 fixes HTML injection vulnerability

The recently released CAS 3.1.2 solves an HTML injection vulnerability for which standalone patching instructions are also available. Here I re-post Scott Battaglia's email to the CAS lists in order to help get the word out.

Congratulations are due to Scott Battaglia and to the CAS project in producing such exceptionally timely and responsive patches and fixed releases addressing this issue.

All,

It has recently come to our attention of an HTML Injection Vulnerability in the JSP pages that are used to generate the validation success/failure responses. We've fixed this in the latest CAS 3.1.2 and CAS 3.2 RC5 releases. We encourage everyone to move to these releases.

If you would like a hot fix for production without moving to these please copy the JSP pages located in the view/jsp/protocol/2.0 directory into your production server (as long as you have JSP recompilation on, it should be automatically picked up). You can either grab the files from one of the releases or from here:

http://developer.jasig.org/source/browse/jasigsvn/cas3/tags/cas-3-1-2-fi...

Details:
The offending JSP pages were not properly HTML escaping the ticket parameter received from the HTML request when echoing it back on an error. In addition, the pages, by default, were being sent back as text/html (which causes the browser to render the response as HTML).

Fix:
The JSP pages now properly escape any input. In addition, they also are now sent back as text/plain instead of text/html

Please note that neither CAS 2.x or RubyCAS are affected. RubyCAS properly escapes the characters. CAS 2.x sends the response as text/plain.

Thanks to:
Thanks to Daniel Almeida from Instituto Superior Técnico, Portugal for reporting this.

Thanks
-Scott

If you desire assistance applying this patch, upgrading to the latest CAS release, or otherwise realizing the value the JA-SIG Central Authentication Service, maybe Unicon can help.