oss-sec mailing list archives
Re: CVE Request: WebAuth: Authentication credential disclosure
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 18 May 2013 01:00:17 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/16/2013 12:58 PM, Salvatore Bonaccorso wrote:
Hi Kurt Could a CVE be assigned for this issue in WebAuth (Cc'ing Russ Allbery): ----cut---------cut---------cut---------cut---------cut---------cut-----
WebAuth 4.4.1 was changed to use a persistent CGI::Application object
for the WebLogin application when run under FastCGI. However, CGI::Application does not reset header state automatically between FastCGI requests, and WebLogin was not modified to do so. In most situations, this caused no problems, since WebLogin overrode the previous header state with new values when answering the request. However, it did not do so when redirecting a user for REMOTE_USER authentication using the $REMUSER_REDIRECT WebLogin option. Therefore, if WebLogin were configured with the $REMUSER_REDIRECT option and running under FastCGI, a user using REMOTE_USER authentication may receive WebLogin cookies intended for a previous user of the same FastCGI login.fcgi process, enabling them to authenticate to other web sites as the previous user. ----cut---------cut---------cut---------cut---------cut---------cut----- Upstream advisory: [1] http://webauth.stanford.edu/security/2013-05-15.html Versions affected: 4.4.1 through 4.5.2 Versions fixed: 4.5.3 and later Upstream patch for the issue is referenced at [2]. [2] http://webauth.stanford.edu/security/2013-05-15.patch Even tought advisory says "For Debian and Ubuntu users, all versions of WebAuth with this vulnerability were only uploaded to Debian experimental and did not appear in any release. For Stanford users, no version of WebLogin with this vulnerability was ever deployed in production.", would it make sense nevertheless to assign a CVE to this issue? Regards, Salvatore
I did a Google search, there appear to be other universities/organizations using WebAuth, was the vulnerable version made generally available (e.g. on an ftp site or whatever?). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRlycBAAoJEBYNRVNeJnmTNvgQAKFLYqRaxIkEU8a4R7kOMJyf cld4weMGow+fQK45V7HFHE+dHugASH6TWQHozucJ7gfXgBk5V8HWAXMceo+MCo7h cbPsMiWOxiJOOJlffGs6Y/dvKM5dURj3WZDam21RDI8rPR28WJX1DAjprXByqTUr BgzVcH2inh0rDBPo+jeK/UPiEzQXEE4NJpkTTijDLhkqvuk40k9P1Ftxb/STN/yf tKse0cDJ7K5+petk5r1/Q8LiCJx1f3KejvZN2vNKUnU3/7v7KcYFINio0PQhV60X HZOFcByUDSoLpkiLwr8s+/Z7cmIvU3lMBfoBbQJFlXcyLlz5Hc+IBXbqQP6xAquO IbxP2bgMZWDlkAxiyJUiZeAqD4e71AXTjalXPLQ7nEUSgS3fhBi1Kv4x8N+dFiY4 LPrY4UvnnVKUFSqB8zqcPduEeqx8e3110Dqbd1EvdjMHQYXDjQA6dG1hxMFsyjS9 N4SKd5smxzQUoXm49cgvxmU7qi5DO2bFpckqrsNX4tcAmWOaeeYS+IHvzWJeXyua IbOjLEH5U7s411d5J2xERYXbw/zAj2oA+B7cBEKhSAtlpRwAJvTXB3vvSju+OihY Mys9eN6BBVNPopD34MLeaiLVZC+r0tGKC08UT39SAgNIoLXwtz8/9S1Gy6MoJeub MjjqRYuoI3Tlnqit5KHl =umo+ -----END PGP SIGNATURE-----
Current thread:
- CVE Request: WebAuth: Authentication credential disclosure Salvatore Bonaccorso (May 16)
- Re: CVE Request: WebAuth: Authentication credential disclosure Russ Allbery (May 16)
- Re: CVE Request: WebAuth: Authentication credential disclosure Kurt Seifried (May 18)
- Re: CVE Request: WebAuth: Authentication credential disclosure Russ Allbery (May 18)
- Re: CVE Request: WebAuth: Authentication credential disclosure Kurt Seifried (May 18)
- Re: CVE Request: WebAuth: Authentication credential disclosure Russ Allbery (May 18)