Re: CVE Request: WebAuth: Authentication credential disclosure

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2013 01:15 AM, Russ Allbery wrote:
> Kurt Seifried <kseifried () redhat com> writes:
>
> > I did a Google search, there appear to be other 
> > universities/organizations using WebAuth, was the vulnerable
> > version made generally available (e.g. on an ftp site or
> > whatever?).
>
> Yes, via http://webauth.stanford.edu/ as well as via my personal
> web site. I did issue an advisory (to
> webauth-announce () lists stanford edu).  There were six announced
> (distributed, tagged, etc.) releases that had this vulnerability.
>
> WebAuth is moderately well-used; it's not as popular as some of the
> other web single sign-on systems, but it's been distributed with
> Debian and Ubuntu for quite a while and I know a fair number of
> sites that use it.
>
> The time interval between the broken and fixed version was
> relatively short (four months -- we're in the middle of a heavy
> development cycle) and the flaw was only in the central server
> component (which you only run one of within any given organization
> and tend to be conservative about upgrading) as opposed to the
> Apache modules that are installed everywhere, so it's possible that
> no one who met the fairly specific conditions required to trigger
> the bug ever deployed it, but I don't have a way of knowing that
> for certain.

Yeah in this case I'm definitely going count a 4 month window as "made
available" =). Please use CVE-2013-2106 for this issue. With any luck
now all the standard scanners like Nessus will add a test and anyone
vulnerable will find out asap.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRlyvwAAoJEBYNRVNeJnmTIIYQAJH3+2OJqVLC8X5LL1STdUY8
wWiUIEZRdobtXv1aha4JpUY6GQQAThgyWmGnTBvagGEWAo+Q2hsVZCTjaQ8vLaBn
/KbE1qnGDCNtx1+xBKulQ+XOioNS0HuFEdxX0Iw3Rei6XC/87qj1HWzTBhFHWr7s
HzOFFh/JshKnyDpuuvOwELYlNOnV6gJ3mjafootbSZWhN+bkcg5IExrDGu4JJmIy
p0XQOprjaLdQsi2r/USfZqrSrYVEGoD9eTVJ6X+4oTgC0SKzr0XuU9OO+o3JaRSt
Phxqp30vvIRRlezNJ003VXK0AbotWLQ5omdsZNgiLI+PO7vQ/nfEC/vJWPVn4jmj
kqqObjcQk774NYLf/G4yv14cykXf5c+i/HjrEEj8NwjC3M69OJRb6iwWEbq8EPNz
Nrqrej6rvHmsoQ0MCZp/7tXorYnG/LcfDziDcJolpT4Gw/FSVsVdhILwm5hLeUAl
p43236i/e1HNl9sUg1X7GLvPNTZJDQ0bopFr8MSyKJCjCIsMGWOJVDlU8R2LQ3I8
PXkaFQjdTjku1kReA2jp/IahGucxc538bjuvY/pH6iq0+k+yHn6tNQcUw+Y4S6nC
p68WZ6JYYJ5GBRdjRnW/b609SQTnbe20Nk1M/8yA4XS7pYbbiA/g5XBm4HVQ2gzx
cPwj8FpvdVlrYHeVGvSO
=VBZj
-----END PGP SIGNATURE-----