Phishing Exploit Possible Since RubyCAS Server Lacks Service Whitelist

rubycas / rubycas-server

Provides single sign-on authentication for web applications, implementing the server-end of Jasig's CAS protocol.

http://rubycas.github.com

Other

628 stars 270 forks source link

Phishing Exploit Possible Since RubyCAS Server Lacks Service Whitelist #183

Open adaburrows opened 11 years ago

adaburrows commented 11 years ago

It is possible to construct a malicious link to the login page containing a service URL which redirects the user to a phishing form which looks just like the login form. If the user is unaware of the URL, they might give their credentials away thinking their session just timed out.

mitfik commented 11 years ago

Yes, this feature will be a part of the rubycas2.0