Date: Sat, 18 May 2013 01:00:17 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Salvatore Bonaccorso <carnil@...ian.org>, Russ Allbery <rra@...ian.org> Subject: Re: CVE Request: WebAuth: Authentication credential disclosure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/16/2013 12:58 PM, Salvatore Bonaccorso wrote: > Hi Kurt > > Could a CVE be assigned for this issue in WebAuth (Cc'ing Russ > Allbery): > > ----cut---------cut---------cut---------cut---------cut---------cut----- > > WebAuth 4.4.1 was changed to use a persistent CGI::Application object > for the WebLogin application when run under FastCGI. However, > CGI::Application does not reset header state automatically between > FastCGI requests, and WebLogin was not modified to do so. In most > situations, this caused no problems, since WebLogin overrode the > previous header state with new values when answering the request. > However, it did not do so when redirecting a user for REMOTE_USER > authentication using the $REMUSER_REDIRECT WebLogin option. > > Therefore, if WebLogin were configured with the $REMUSER_REDIRECT > option and running under FastCGI, a user using REMOTE_USER > authentication may receive WebLogin cookies intended for a > previous user of the same FastCGI login.fcgi process, enabling them > to authenticate to other web sites as the previous user. > ----cut---------cut---------cut---------cut---------cut---------cut----- > > Upstream advisory: > >  http://webauth.stanford.edu/security/2013-05-15.html > > Versions affected: 4.4.1 through 4.5.2 Versions fixed: 4.5.3 and > later > > Upstream patch for the issue is referenced at . > >  http://webauth.stanford.edu/security/2013-05-15.patch > > Even tought advisory says "For Debian and Ubuntu users, all > versions of WebAuth with this vulnerability were only uploaded to > Debian experimental and did not appear in any release. For Stanford > users, no version of WebLogin with this vulnerability was ever > deployed in production.", would it make sense nevertheless to > assign a CVE to this issue? > > Regards, Salvatore I did a Google search, there appear to be other universities/organizations using WebAuth, was the vulnerable version made generally available (e.g. on an ftp site or whatever?). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRlycBAAoJEBYNRVNeJnmTNvgQAKFLYqRaxIkEU8a4R7kOMJyf cld4weMGow+fQK45V7HFHE+dHugASH6TWQHozucJ7gfXgBk5V8HWAXMceo+MCo7h cbPsMiWOxiJOOJlffGs6Y/dvKM5dURj3WZDam21RDI8rPR28WJX1DAjprXByqTUr BgzVcH2inh0rDBPo+jeK/UPiEzQXEE4NJpkTTijDLhkqvuk40k9P1Ftxb/STN/yf tKse0cDJ7K5+petk5r1/Q8LiCJx1f3KejvZN2vNKUnU3/7v7KcYFINio0PQhV60X HZOFcByUDSoLpkiLwr8s+/Z7cmIvU3lMBfoBbQJFlXcyLlz5Hc+IBXbqQP6xAquO IbxP2bgMZWDlkAxiyJUiZeAqD4e71AXTjalXPLQ7nEUSgS3fhBi1Kv4x8N+dFiY4 LPrY4UvnnVKUFSqB8zqcPduEeqx8e3110Dqbd1EvdjMHQYXDjQA6dG1hxMFsyjS9 N4SKd5smxzQUoXm49cgvxmU7qi5DO2bFpckqrsNX4tcAmWOaeeYS+IHvzWJeXyua IbOjLEH5U7s411d5J2xERYXbw/zAj2oA+B7cBEKhSAtlpRwAJvTXB3vvSju+OihY Mys9eN6BBVNPopD34MLeaiLVZC+r0tGKC08UT39SAgNIoLXwtz8/9S1Gy6MoJeub MjjqRYuoI3Tlnqit5KHl =umo+ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.