| < Upgrade tomorrow | Russ Allbery > Eagle's Path > July 2006 | "No Women" Cheese > |
A friendly web site analyzer contacted our security office and let us know about a cross-site scripting attack that was possible against our WebAuth Weblogin servers. Turns out that HTML::Template doesn't escape values substituted into HTML pages unless you explicitly tell it to. Doh. I'm embarassed that I've missed this for years.
I've now released WebAuth 3.5.2 with this fixed in the sample templates, but any site running WebAuth with customized login templates needs to also fix this in their other templates. For more information, see the release announcement. There are also a few other accumulated fixes for the Weblogin code in this release.
You can get the latest version from the WebAuth download page.
Posted: 2006-07-13 18:40 — Why no comments?
| < Upgrade tomorrow | Russ Allbery > Eagle's Path > July 2006 | "No Women" Cheese > |