Henry Pan

**Name of the Vulnerable Software and Affected Versions** phpCAS versions prior to 1.6.0 **Description** The phpCAS library uses HTTP headers to determine the service URL used to validate tickets, allowing an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm to authenticate to the service protected by phpCAS. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without the victim's knowledge, when the victim visits the attacker's website while being logged in to the same CAS server. The severity of the vulnerability is reduced substantially if the CAS server service registry is configured to only allow known and trusted service URLs. **Recommendations** For phpCAS versions prior to 1.6.0, upgrade the library to version 1.6.0 or later to get the safe service discovery behavior. Alternatively, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called with the full URL of the current page, and 2. `phpCAS::setCallbackURL()` is called when the proxy mode is enabled, or if the PHP's HTTP header input is sanitized before reaching PHP, the vulnerability will be mitigated.