A colleagu of the University of Malaga, Diego Ray, has detected two
security flaws in the code of the Authentication Server:
* The AS sent correct (albeit not required by the protocol) assertions
when requesting TEST and LOGOUT operations
* The AS did not encrypt operations identifiers in split mode.
Both failures could be exploited by an attacker to impersonate a valid
user, overriding the identity checks implemented in the AS. Although
PAPI protocol time-outs make this very difficult (if possible) to do
from a normal browser session, a program was writen and demonstrated its
ability to exploit the bugs.
New versions of the AS, that solve both errors, are now available.
Administrators of PAPI authentication services are strongly encouraged
to update to these new AS release, according to the version of PAPI they
are running. Please refer to the following URLs:
"Esta vez no fallaremos, Doctor Infierno"
Diego R. Lopez
[log in para visualizar]
The Spanish NREN
Tel: +34 955 056 621
Mobile: +34 669 898 094