CVE-2022-39369: CWE-99: Improper Control of Resource Identifiers ('Resource Injection') in apereo phpCAS
phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.
AI Analysis
Technical Summary
CVE-2022-39369 is a vulnerability in the phpCAS library, an open-source PHP client library used to authenticate users via a Central Authentication Service (CAS) server. The vulnerability arises from improper control of resource identifiers (CWE-99) and improper validation of input types (CWE-1287). Specifically, phpCAS versions prior to 1.6.0 rely on HTTP headers such as Host, X-Forwarded-Host, and related headers to determine the service URL used to validate CAS tickets. An attacker can manipulate these headers to control the service URL, enabling them to use a valid ticket granted for any authorized service within the same Single Sign-On (SSO) realm to authenticate to a different service protected by phpCAS. This can lead to unauthorized access to victim accounts without their knowledge, particularly if the victim visits an attacker-controlled website while logged into the CAS server. The severity of this vulnerability depends heavily on the CAS server's service registry configuration. If the registry restricts allowed service URLs to known and trusted services, the attacker's ability to exploit the vulnerability is limited to services they control within the federation. However, if the registry permits broad URL patterns (e.g., "^(https)://.*"), the attacker can impersonate any service in the SSO realm. Mitigations include upgrading to phpCAS 1.6.0 or later, which enforces strict service URL validation by requiring an explicit service base URL during client construction. Additional mitigations involve proper configuration of phpCAS methods such as phpCAS::setUrl() and phpCAS::setCallbackURL(), and sanitizing HTTP header inputs at the reverse proxy or web server level to prevent header injection. No known exploits have been reported in the wild, but the vulnerability poses a significant risk to any PHP applications relying on vulnerable phpCAS versions for authentication.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized access to sensitive applications protected by phpCAS, potentially compromising user accounts and sensitive data. Since phpCAS is commonly used in academic institutions, government portals, and enterprise applications that implement CAS-based SSO, exploitation could disrupt access control and lead to identity impersonation within federated services. The impact includes loss of confidentiality (unauthorized data access), integrity (potential unauthorized actions under victim identities), and availability (possible session hijacking or denial of service through misuse). The risk is heightened in environments where the CAS server service registry is loosely configured, allowing broad URL patterns. Attackers could leverage this to pivot across multiple services within the same SSO realm, amplifying the scope of compromise. Additionally, since exploitation requires victim interaction (visiting a malicious site while logged in), phishing or social engineering campaigns could be used to trigger attacks. The absence of known exploits suggests limited current threat activity, but the vulnerability remains a critical concern for organizations relying on vulnerable phpCAS versions without proper configuration or patching.
Mitigation Recommendations
1. Upgrade phpCAS to version 1.6.0 or later, which enforces strict service URL validation and requires explicit service base URL configuration. 2. Review and tighten the CAS server service registry configuration to restrict allowed service URLs to a whitelist of known, trusted services rather than broad patterns. 3. Ensure that phpCAS configuration calls phpCAS::setUrl() with the full current page URL and phpCAS::setCallbackURL() only when proxy mode is enabled, to avoid fallback to unsafe service URL discovery. 4. Implement HTTP header sanitization at the reverse proxy or web server level to validate and normalize headers such as Host, X-Forwarded-Host, X-Forwarded-Server, X-Forwarded-Proto, and X-Forwarded-Protocol, preventing header injection attacks. 5. Conduct regular security audits of CAS implementations and phpCAS client configurations to detect misconfigurations or outdated library versions. 6. Educate users about phishing risks, as exploitation requires victim interaction via visiting attacker-controlled sites. 7. Monitor authentication logs for unusual ticket validation patterns or cross-service authentication attempts that could indicate exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain, Poland, Austria
CVE-2022-39369: CWE-99: Improper Control of Resource Identifiers ('Resource Injection') in apereo phpCAS
Description
phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.
AI-Powered Analysis
Technical Analysis
CVE-2022-39369 is a vulnerability in the phpCAS library, an open-source PHP client library used to authenticate users via a Central Authentication Service (CAS) server. The vulnerability arises from improper control of resource identifiers (CWE-99) and improper validation of input types (CWE-1287). Specifically, phpCAS versions prior to 1.6.0 rely on HTTP headers such as Host, X-Forwarded-Host, and related headers to determine the service URL used to validate CAS tickets. An attacker can manipulate these headers to control the service URL, enabling them to use a valid ticket granted for any authorized service within the same Single Sign-On (SSO) realm to authenticate to a different service protected by phpCAS. This can lead to unauthorized access to victim accounts without their knowledge, particularly if the victim visits an attacker-controlled website while logged into the CAS server. The severity of this vulnerability depends heavily on the CAS server's service registry configuration. If the registry restricts allowed service URLs to known and trusted services, the attacker's ability to exploit the vulnerability is limited to services they control within the federation. However, if the registry permits broad URL patterns (e.g., "^(https)://.*"), the attacker can impersonate any service in the SSO realm. Mitigations include upgrading to phpCAS 1.6.0 or later, which enforces strict service URL validation by requiring an explicit service base URL during client construction. Additional mitigations involve proper configuration of phpCAS methods such as phpCAS::setUrl() and phpCAS::setCallbackURL(), and sanitizing HTTP header inputs at the reverse proxy or web server level to prevent header injection. No known exploits have been reported in the wild, but the vulnerability poses a significant risk to any PHP applications relying on vulnerable phpCAS versions for authentication.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized access to sensitive applications protected by phpCAS, potentially compromising user accounts and sensitive data. Since phpCAS is commonly used in academic institutions, government portals, and enterprise applications that implement CAS-based SSO, exploitation could disrupt access control and lead to identity impersonation within federated services. The impact includes loss of confidentiality (unauthorized data access), integrity (potential unauthorized actions under victim identities), and availability (possible session hijacking or denial of service through misuse). The risk is heightened in environments where the CAS server service registry is loosely configured, allowing broad URL patterns. Attackers could leverage this to pivot across multiple services within the same SSO realm, amplifying the scope of compromise. Additionally, since exploitation requires victim interaction (visiting a malicious site while logged in), phishing or social engineering campaigns could be used to trigger attacks. The absence of known exploits suggests limited current threat activity, but the vulnerability remains a critical concern for organizations relying on vulnerable phpCAS versions without proper configuration or patching.
Mitigation Recommendations
1. Upgrade phpCAS to version 1.6.0 or later, which enforces strict service URL validation and requires explicit service base URL configuration. 2. Review and tighten the CAS server service registry configuration to restrict allowed service URLs to a whitelist of known, trusted services rather than broad patterns. 3. Ensure that phpCAS configuration calls phpCAS::setUrl() with the full current page URL and phpCAS::setCallbackURL() only when proxy mode is enabled, to avoid fallback to unsafe service URL discovery. 4. Implement HTTP header sanitization at the reverse proxy or web server level to validate and normalize headers such as Host, X-Forwarded-Host, X-Forwarded-Server, X-Forwarded-Proto, and X-Forwarded-Protocol, preventing header injection attacks. 5. Conduct regular security audits of CAS implementations and phpCAS client configurations to detect misconfigurations or outdated library versions. 6. Educate users about phishing risks, as exploitation requires victim interaction via visiting attacker-controlled sites. 7. Monitor authentication logs for unusual ticket validation patterns or cross-service authentication attempts that could indicate exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-09-02T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9846c4522896dcbf4995
Added to database: 5/21/2025, 9:09:26 AM
Last enriched: 6/22/2025, 2:37:05 PM
Last updated: 7/31/2025, 10:00:09 AM
Views: 10
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.