oss-sec mailing list archives
Re: CVE Request: WebAuth: Authentication credential disclosure
From: Russ Allbery <rra () debian org>
Date: Sat, 18 May 2013 00:15:06 -0700
Kurt Seifried <kseifried () redhat com> writes:
I did a Google search, there appear to be other universities/organizations using WebAuth, was the vulnerable version made generally available (e.g. on an ftp site or whatever?).
Yes, via http://webauth.stanford.edu/ as well as via my personal web site. I did issue an advisory (to webauth-announce () lists stanford edu). There were six announced (distributed, tagged, etc.) releases that had this vulnerability. WebAuth is moderately well-used; it's not as popular as some of the other web single sign-on systems, but it's been distributed with Debian and Ubuntu for quite a while and I know a fair number of sites that use it. The time interval between the broken and fixed version was relatively short (four months -- we're in the middle of a heavy development cycle) and the flaw was only in the central server component (which you only run one of within any given organization and tend to be conservative about upgrading) as opposed to the Apache modules that are installed everywhere, so it's possible that no one who met the fairly specific conditions required to trigger the bug ever deployed it, but I don't have a way of knowing that for certain. -- Russ Allbery (rra () debian org) <http://www.eyrie.org/~eagle/>
Current thread:
- CVE Request: WebAuth: Authentication credential disclosure Salvatore Bonaccorso (May 16)
- Re: CVE Request: WebAuth: Authentication credential disclosure Russ Allbery (May 16)
- Re: CVE Request: WebAuth: Authentication credential disclosure Kurt Seifried (May 18)
- Re: CVE Request: WebAuth: Authentication credential disclosure Russ Allbery (May 18)
- Re: CVE Request: WebAuth: Authentication credential disclosure Kurt Seifried (May 18)
- Re: CVE Request: WebAuth: Authentication credential disclosure Russ Allbery (May 18)