Vendor: University of Cambridge
Product: The Raven Apache Module ("mod_ucam_webauth")
Affected versions: < 2.0.2
Versions prior to 2.0.2 of the C module for Apache [1], and versions prior to 0.52 of the PHP module [2], both exhibit similar directory traversal vulnerabilities because they fail to properly sanitise the "kid" field of the WLS-Response message. The potential impact is that an attacker can craft a WLS-Response message signed with a different key to any in the current service set (i.e. they can spoof a WLS-Response message). This and other attacks are explained in some detail in a paper submitted to the 26th Security Protocols Workshop [3].
A vendor fix is available.