< WebAuth 4.5.2 | Russ Allbery > Eagle's Path > May 2013 | Collected haul > |
Good news: we finally tracked down the intermittant redirect looping bug
so that I could fix it! Bad news: it was also a security vulnerability.
Thankfully, it was fairly specific: you had to be using FastCGI for the
login page and you also had to be using the $REMUSER_REDIRECT
option. But in those situations, WebAuth versions from 4.4.1 through
4.5.2 could potentially leak authentication state from one user to
another.
The full scenario is somewhat tedious to explain, but the short version is that, in 4.4.1, I switched over to using a single persistent CGI::Application object instead of re-creating it for each request. This takes better advantage of FastCGI. However, CGI::Application doesn't reset header properties between requests, and while we mostly did that internally, there was one specific case around REMOTE_USER redirects where we didn't.
For more details, including a patch for those who don't want to upgrade, see the security advisory.
WebAuth 4.5.3 has been released with only this fix relative to 4.5.2. You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.
Posted: 2013-05-15 15:47 — Why no comments?
< WebAuth 4.5.2 | Russ Allbery > Eagle's Path > May 2013 | Collected haul > |