Comments (4)
My gut reaction is that this is a non-issue.
If the adversary can execute arbitrary PHP server-side, then he can do anything. There is nothing that phpCAS can do that cannot be done in PHP, since phpCAS is itself run as PHP.
So, it's possible to add complexity here (e.g., encrypting the username in the session) but it's not possible to add security, since necessarily phpCAS would need access to the key to encrypt and decrypt that username to have encrypted it in the first place and to make use of it when called upon, and if phpCAS can access the key, arbitrary PHP can access the key.
phpCAS doesn't solve the problem of adversaries who are able to execute arbitrary code server-side (but it does prevent even such adversaries from obtaining the end user's password.)
from phpcas.
@apetro nailed it on the head: CAS/phpCAS keeps the user's password away from the web server, enhancing security in that way. While phpCAS should not introduce arbitrary code execution vulnerabilities, there is nothing it can due to prevent such vulnerabilities in client applications.
from phpcas.
Well, yes that is a common issues for all web apps. If i'm able to execute arbitrary code on the same host i can always hijack you sessions. I can do pretty much the same in any other interactive language. I can even go so far as to write a the REMOTE_USER variable in the apache auth modules. Same applies for anyone being able to read the session storage directory.
If you look at encrypting session data you always end up with having the key somewhere in the filesystem or in server variable which must be readable for the webserver itself. The only mitigation i can currently think of in such a shared environment would be safe_mode which is pretty much broken itself....
Since apache has no concept of separating users i think you are pretty much on your own if you want to secure this area. I guess only java enterprise servers actually support something like security realms and sandboxing etc.
I'm always happy to discuss this further if there is anything unclear.
from phpcas.
Ok, all good points. I figured this had already been thought out, I just thought I would bring it up in case somehow it hadn't.
from phpcas.
Related Issues (20)
- handleLogoutRequest and config file HOT 10
- Autoloader calls die(), causes problems with Rector HOT 1
- PHP 8 redirect issue HOT 4
- Notice PHP : Variable is undefined
- phpunit tests broken in github actions HOT 2
- phpCAS::getAttributes gives me an empty array HOT 7
- No ability to disable displaying errors directly into the response. HOT 2
- Differentiate ErrorException from GracefullTerminationException HOT 1
- deprecation warning in php 8.1.2 HOT 2
- time for new release? HOT 3
- Is there a way to use phpCAS within a Symfony API REST? HOT 1
- Endless Loop, ticket not found HOT 5
- Autoload.php should not emit a composer-preferred warning HOT 3
- Version 1.6.0 is a breaking upgrade and is not compatible with older versions HOT 7
- jasig/phpcas package should be abandoned in favor of apereo/phpcas HOT 9
- login with 1.6.0 wrong redirection HOT 2
- Non-empty $_SESSION array disrupts page caching techniques
- DOMDocument::loadXML(): Argument #1 ($source) must not be empty HOT 2
- phpCAS relies on curl being available HOT 1
- Alternate URL for logout requests HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from phpcas.