Git Product home page Git Product logo

Comments (4)

apetro avatar apetro commented on June 8, 2024

My gut reaction is that this is a non-issue.

If the adversary can execute arbitrary PHP server-side, then he can do anything. There is nothing that phpCAS can do that cannot be done in PHP, since phpCAS is itself run as PHP.

So, it's possible to add complexity here (e.g., encrypting the username in the session) but it's not possible to add security, since necessarily phpCAS would need access to the key to encrypt and decrypt that username to have encrypted it in the first place and to make use of it when called upon, and if phpCAS can access the key, arbitrary PHP can access the key.

phpCAS doesn't solve the problem of adversaries who are able to execute arbitrary code server-side (but it does prevent even such adversaries from obtaining the end user's password.)

from phpcas.

adamfranco avatar adamfranco commented on June 8, 2024

@apetro nailed it on the head: CAS/phpCAS keeps the user's password away from the web server, enhancing security in that way. While phpCAS should not introduce arbitrary code execution vulnerabilities, there is nothing it can due to prevent such vulnerabilities in client applications.

from phpcas.

jfritschi avatar jfritschi commented on June 8, 2024

Well, yes that is a common issues for all web apps. If i'm able to execute arbitrary code on the same host i can always hijack you sessions. I can do pretty much the same in any other interactive language. I can even go so far as to write a the REMOTE_USER variable in the apache auth modules. Same applies for anyone being able to read the session storage directory.

If you look at encrypting session data you always end up with having the key somewhere in the filesystem or in server variable which must be readable for the webserver itself. The only mitigation i can currently think of in such a shared environment would be safe_mode which is pretty much broken itself....

Since apache has no concept of separating users i think you are pretty much on your own if you want to secure this area. I guess only java enterprise servers actually support something like security realms and sandboxing etc.

I'm always happy to discuss this further if there is anything unclear.

from phpcas.

patrick-mcdougle avatar patrick-mcdougle commented on June 8, 2024

Ok, all good points. I figured this had already been thought out, I just thought I would bring it up in case somehow it hadn't.

from phpcas.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.