Error message being thrown a security scan problem

apereo / phpCAS

Apereo PHP CAS Client

https://apereo.github.io/phpCAS/

Apache License 2.0

796 stars 397 forks source link

Error message being thrown a security scan problem #147

Closed bjdevil21 closed 8 years ago

bjdevil21 commented 9 years ago

The following error/info message is being public presented when errors are thrown: "phpCAS 1.3.2 using server https://ourservername.com/ (CAS 2.0)". This output is being generated by CAS_Client::printHTMLFooter() and shouldn't be publicly visible.

In our case it came up in a stock "security scanner" report as a possible "Application Exception" hole/exploit we have to answer for.

This was initially reported on https://github.com/Jasig/phpCAS/issues/129 but I was told to open a new issue.

jfritschi commented 9 years ago

Indeed this could use some hardening "option" or only show up in debug mode.

jfritschi commented 9 years ago

Fixed, see #152

Any feedback is welcome