search

itsmng / itsm-ng

ITSM-NG est un fork GLPI ayant pour objectif de proposer un volet communautaire fort, et des choix technologiques pertinents.
https://www.itsm-ng.org/
GNU General Public License v2.0
35 stars 10 forks source link

Do not disable SSL validation with CAS server #44

Open coudot opened 1 year ago

coudot commented 1 year ago

In CAS client code, SSL validation is disabled (https://github.com/itsmng/itsm-ng/blob/main/inc/auth.class.php#L486): 

            // no SSL validation for the CAS server
            phpCAS::setNoCasServerValidation();

This is a bad practice and can be considered as a security issue (with DNS spoofing, an attacker can log as any user).

The SSL validation should be enabled by default, and an option can be created to disable it if needed.

charleneauger commented 1 year ago

Hi @coudot ,

Thanks for your report. We will investigate and get back to you as soon as possible.

Best regards, Charlene