PAPI Archivos

The PAPI authentication and authorization framework

PAPI@LISTSERV.REDIRIS.ES

Opciones: Vista Forum

Use Monospaced Font
Por defecto enseñar Text Part
Esconda cabeceras de correo

Mensaje: [<< Primero] [< Prev] [Siguiente >] [Último >>]
Tema: [<< Primero] [< Prev] [Siguiente >] [Último >>]
Autor: [<< Primero] [< Prev] [Siguiente >] [Último >>]

Print Responder
Received:
from LISTSERV.REDIRIS.ES by LISTSERV.REDIRIS.ES (LISTSERV-TCP/IP release 1.8e) with spool id 23885530 for [log in para visualizar]; Thu, 4 Mar 2004 16:17:48 +0100 from chati.rediris.es (chati.rediris.es [130.206.1.37]) by chico.rediris.es (8.12.10/8.9.1) with ESMTP id i24FHmCY003083 for <[log in para visualizar]>; Thu, 4 Mar 2004 16:17:48 +0100 (CET) from chico.rediris.es (chico.rediris.es [130.206.1.3]) by chati.rediris.es (8.12.9/8.9.3) with ESMTP id i24FHljs008588 for <[log in para visualizar]>; Thu, 4 Mar 2004 16:17:47 +0100 from metanave.rediris.es (metanave.rediris.es [130.206.194.37]) by chico.rediris.es (8.12.10/8.9.1) with ESMTP id i24FHlMs003078 for <[log in para visualizar]>; Thu, 4 Mar 2004 16:17:47 +0100 (CET)
Content-Type:
text/plain
Date:
Thu, 4 Mar 2004 16:17:47 +0100
Reply-To:
The PAPI authentication and authorization framework <[log in para visualizar]>
Subject:
Message-ID:
<1078413467.1357.34.camel@incal>
Content-Transfer-Encoding:
7bit
Emisor:
"Diego R. Lopez" <[log in para visualizar]>
Sender:
The PAPI authentication and authorization framework <[log in para visualizar]>
X-Mailer:
Ximian Evolution 1.4.3
Mime-Version:
1.0
Parts/Attachments:
text/plain (39 lines)
Dear all,

A colleagu of the University of Malaga, Diego Ray, has detected two
security flaws in the code of the Authentication Server:

* The AS sent correct (albeit not required by the protocol) assertions
  when requesting TEST and LOGOUT operations

* The AS did not encrypt operations identifiers in split mode.

Both failures could be exploited by an attacker to impersonate a valid
user, overriding the identity checks implemented in the AS. Although
PAPI protocol time-outs make this very difficult (if possible) to do
from a normal browser session, a program was writen and demonstrated its
ability to exploit the bugs.

New versions of the AS, that solve both errors, are now available.
Administrators of PAPI authentication services are strongly encouraged
to update to these new AS release, according to the version of PAPI they
are running. Please refer to the following URLs:

http://papi.rediris.es/comu/news/20040304.html

ftp://ftp.rediris.es/pub/rediris/papi/AS-Security-Update-20040304/

Best regards,

--
"Esta vez no fallaremos, Doctor Infierno"

Diego R. Lopez
[log in para visualizar]

RedIRIS
The Spanish NREN
Tel:    +34 955 056 621
Mobile: +34 669 898 094
-----------------------------------------

ATOM RSS1 RSS2