Dear all, A colleagu of the University of Malaga, Diego Ray, has detected two security flaws in the code of the Authentication Server: * The AS sent correct (albeit not required by the protocol) assertions when requesting TEST and LOGOUT operations * The AS did not encrypt operations identifiers in split mode. Both failures could be exploited by an attacker to impersonate a valid user, overriding the identity checks implemented in the AS. Although PAPI protocol time-outs make this very difficult (if possible) to do from a normal browser session, a program was writen and demonstrated its ability to exploit the bugs. New versions of the AS, that solve both errors, are now available. Administrators of PAPI authentication services are strongly encouraged to update to these new AS release, according to the version of PAPI they are running. Please refer to the following URLs: http://papi.rediris.es/comu/news/20040304.html ftp://ftp.rediris.es/pub/rediris/papi/AS-Security-Update-20040304/ Best regards, -- "Esta vez no fallaremos, Doctor Infierno" Diego R. Lopez [log in para visualizar] RedIRIS The Spanish NREN Tel: +34 955 056 621 Mobile: +34 669 898 094 -----------------------------------------