Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 May 2013 01:00:17 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Salvatore Bonaccorso <carnil@...ian.org>, Russ Allbery <rra@...ian.org>
Subject: Re: CVE Request: WebAuth: Authentication credential
 disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/16/2013 12:58 PM, Salvatore Bonaccorso wrote:
> Hi Kurt
> 
> Could a CVE be assigned for this issue in WebAuth (Cc'ing Russ 
> Allbery):
> 
> ----cut---------cut---------cut---------cut---------cut---------cut-----
>
> 
WebAuth 4.4.1 was changed to use a persistent CGI::Application object
> for the WebLogin application when run under FastCGI. However, 
> CGI::Application does not reset header state automatically between 
> FastCGI requests, and WebLogin was not modified to do so. In most 
> situations, this caused no problems, since WebLogin overrode the 
> previous header state with new values when answering the request. 
> However, it did not do so when redirecting a user for REMOTE_USER 
> authentication using the $REMUSER_REDIRECT WebLogin option.
> 
> Therefore, if WebLogin were configured with the $REMUSER_REDIRECT 
> option and running under FastCGI, a user using REMOTE_USER 
> authentication may receive WebLogin cookies intended for a
> previous user of the same FastCGI login.fcgi process, enabling them
> to authenticate to other web sites as the previous user. 
> ----cut---------cut---------cut---------cut---------cut---------cut-----
>
>  Upstream advisory:
> 
> [1] http://webauth.stanford.edu/security/2013-05-15.html
> 
> Versions affected: 4.4.1 through 4.5.2 Versions fixed:	   4.5.3 and
> later
> 
> Upstream patch for the issue is referenced at [2].
> 
> [2] http://webauth.stanford.edu/security/2013-05-15.patch
> 
> Even tought advisory says "For Debian and Ubuntu users, all
> versions of WebAuth with this vulnerability were only uploaded to
> Debian experimental and did not appear in any release. For Stanford
> users, no version of WebLogin with this vulnerability was ever
> deployed in production.", would it make sense nevertheless to
> assign a CVE to this issue?
> 
> Regards, Salvatore

I did a Google search, there appear to be other
universities/organizations using WebAuth, was the vulnerable version
made generally available (e.g. on an ftp site or whatever?).



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRlycBAAoJEBYNRVNeJnmTNvgQAKFLYqRaxIkEU8a4R7kOMJyf
cld4weMGow+fQK45V7HFHE+dHugASH6TWQHozucJ7gfXgBk5V8HWAXMceo+MCo7h
cbPsMiWOxiJOOJlffGs6Y/dvKM5dURj3WZDam21RDI8rPR28WJX1DAjprXByqTUr
BgzVcH2inh0rDBPo+jeK/UPiEzQXEE4NJpkTTijDLhkqvuk40k9P1Ftxb/STN/yf
tKse0cDJ7K5+petk5r1/Q8LiCJx1f3KejvZN2vNKUnU3/7v7KcYFINio0PQhV60X
HZOFcByUDSoLpkiLwr8s+/Z7cmIvU3lMBfoBbQJFlXcyLlz5Hc+IBXbqQP6xAquO
IbxP2bgMZWDlkAxiyJUiZeAqD4e71AXTjalXPLQ7nEUSgS3fhBi1Kv4x8N+dFiY4
LPrY4UvnnVKUFSqB8zqcPduEeqx8e3110Dqbd1EvdjMHQYXDjQA6dG1hxMFsyjS9
N4SKd5smxzQUoXm49cgvxmU7qi5DO2bFpckqrsNX4tcAmWOaeeYS+IHvzWJeXyua
IbOjLEH5U7s411d5J2xERYXbw/zAj2oA+B7cBEKhSAtlpRwAJvTXB3vvSju+OihY
Mys9eN6BBVNPopD34MLeaiLVZC+r0tGKC08UT39SAgNIoLXwtz8/9S1Gy6MoJeub
MjjqRYuoI3Tlnqit5KHl
=umo+
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.