WebAuth 2009-09-10 Advisory

Vulnerability type: Authentication credential disclosure
Versions affected: 3.5.5, 3.6.0, and 3.6.1
Versions fixed: 3.6.2 and later
Reported: 2009-08-31
Public announcement: 2009-09-10
CVE ID: CVE-2009-2945

WebAuth 3.5.5 introduced a new method to probe for browser cookie support in the WebLogin script. This code was intended to run only during the initial page visit on the WebLogin server. However, under rare circumstances, a browser may present the test cookie when loading the login form but then not present the cookie when submitting the form, triggering an untested code path. This code path accidentally used a feature of the Perl CGI module to convert the form submitted via POST to a GET query as part of a redirect. The user is then successfully logged on via GET and continues to the remote site.

Because the form is converted to a GET, the user's password becomes part of the URL and therefore enters the browser history, where it may be exposed by shared use of the system or through snooping attacks on browser history. It is also exposed in the web server logs of the WebLogin server. If the WebLogin confirmation page is enabled, the URL containing the user's password may also become the referrer and be sent by the browser in the referrer header to the web site to which the user was authenticating, where it would be seen by that web server and possibly logged in its server logs.

The specific conditions that trigger this bug are as yet unknown, although it can be duplicated by clearing browser cookies after loading the login page but before submitting the login form. The bug happens rarely, during only a tiny fraction of authentications, but it appears to affect all major browsers.

The problematic code has been fixed in WebAuth 3.6.2 to never convert POST to GET and to ensure that passwords are never included in redirects. In addition, WebAuth 3.6.2 takes the additional precaution of rejecting authentication via GET since that opens the possibility of exposing the password via the referrer information sent by the browser, although a failed GET authentication will still be logged in the web server logs on the WebLogin server and enter the browser history.

WebAuth 3.6.2 is available from:

http://webauth.stanford.edu/

Included in this release is a script to scan web server logs from the WebLogin server to identify affected users.

The only code affected is the WebLogin login script (weblogin/login.fcgi). Administrators currently running 3.6.1 can safely update only that script from the 3.6.2 package without upgrading the rest of the WebLogin or WebKDC server installation. The WebAuth and WebKDC Apache modules are not affected by this vulnerability. No changes are needed on individual WebAuth Application Servers, only the WebLogin server.

This vulnerability will be fixed in version 3.6.0-1+lenny1 of the webauth-weblogin package in Debian 5.0 (lenny), which will be proposed for the next stable update. Debian 4.0 (etch) shipped WebAuth 3.5.3 and is not vulnerable. This vulnerability is fixed in version 3.6.2-1~bpo50+1 of the webauth-weblogin package in the lenny-backports distribution from backports.org.

The webauth-weblogin packages shipped with Ubuntu jaunty, intrepid, and hardy are also affected.

Last spun 2022-02-06 from thread modified 2013-01-04