PAPI Archivos

The PAPI authentication and authorization framework


Opciones: Vista Forum

Use Monospaced Font
Por defecto enseñar Text Part
Mostrar todas las cabeceras de correo

Mensaje: [<< Primero] [< Prev] [Siguiente >] [Último >>]
Tema: [<< Primero] [< Prev] [Siguiente >] [Último >>]
Autor: [<< Primero] [< Prev] [Siguiente >] [Último >>]

Print Responder
"Diego R. Lopez" <[log in para visualizar]>
Reply To:
The PAPI authentication and authorization framework <[log in para visualizar]>
Thu, 4 Mar 2004 16:17:47 +0100
text/plain (39 lines)
Dear all,

A colleagu of the University of Malaga, Diego Ray, has detected two
security flaws in the code of the Authentication Server:

* The AS sent correct (albeit not required by the protocol) assertions
  when requesting TEST and LOGOUT operations

* The AS did not encrypt operations identifiers in split mode.

Both failures could be exploited by an attacker to impersonate a valid
user, overriding the identity checks implemented in the AS. Although
PAPI protocol time-outs make this very difficult (if possible) to do
from a normal browser session, a program was writen and demonstrated its
ability to exploit the bugs.

New versions of the AS, that solve both errors, are now available.
Administrators of PAPI authentication services are strongly encouraged
to update to these new AS release, according to the version of PAPI they
are running. Please refer to the following URLs:

Best regards,

"Esta vez no fallaremos, Doctor Infierno"

Diego R. Lopez
[log in para visualizar]

The Spanish NREN
Tel:    +34 955 056 621
Mobile: +34 669 898 094