Re: CVE Request: WebAuth: Authentication credential disclosure

[Russ Allbery <rra () debian org>]

Kurt Seifried <kseifried () redhat com> writes:

> I did a Google search, there appear to be other
> universities/organizations using WebAuth, was the vulnerable version
> made generally available (e.g. on an ftp site or whatever?).

Yes, via http://webauth.stanford.edu/ as well as via my personal web site.
I did issue an advisory (to webauth-announce () lists stanford edu).  There
were six announced (distributed, tagged, etc.) releases that had this
vulnerability.

WebAuth is moderately well-used; it's not as popular as some of the other
web single sign-on systems, but it's been distributed with Debian and
Ubuntu for quite a while and I know a fair number of sites that use it.

The time interval between the broken and fixed version was relatively
short (four months -- we're in the middle of a heavy development cycle)
and the flaw was only in the central server component (which you only run
one of within any given organization and tend to be conservative about
upgrading) as opposed to the Apache modules that are installed everywhere,
so it's possible that no one who met the fairly specific conditions
required to trigger the bug ever deployed it, but I don't have a way of
knowing that for certain.

-- 
Russ Allbery (rra () debian org)               <http://www.eyrie.org/~eagle/>