WebAuth 3.6.2

The Stanford Information Security Office uncovered a problem with the WebLogin server that's been present since 3.5.5. Under still-mysterious circumstances, the code intended to detect cookie support would trigger and rewrite the login submission as a GET instead of a POST, causing the user's password to end up in the URL. That potentially exposes it to attacks on browser history, other people using the same systems, and to the web server to which they're authenticating in the referrer information.

This release fixes this problem by always removing the password from any redirect, not redirecting after form submission via POST on the assumption that the browser does support cookies at that point and is just lying, and rejecting all authentications via GET. The only changes are to the WebLogin server.

See the security advisory for more information.

You can get the latest version from the WebAuth web site or from my WebAuth distribution page.

Posted: 2009-09-10 13:16 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04