=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN376
_____________________________________________________________________

DATE                      : 15/09/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Stanford WebAuth.

======================================================================
https://mailman.stanford.edu/pipermail/webauth-info/2009-September/000532.html
http://webauth.stanford.edu/security/2009-09-10.html
______________________________________________________________________

The ITS WebAuth team is pleased to announce Stanford WebAuth 3.6.2.  This
release fixes a security vunlerability in the WebLogin server that may,
under obscure circumstances, expose the user's password in a URL and from
there to the browser history and possibly authenticated web sites via
referrer.

For documentation and downloads of WebAuth 3.6.2, see:

    http://webauth.stanford.edu/

New Debian packages have been uploaded to Debian unstable.  A security fix
for the version of WebAuth included in Debian 5.0 (lenny) will be proposed
for the next stable update.  In the meantime, updated versions will be
uploaded to backports.org.

There are no changes except to the WebLogin script and templates in this
release, so updating the Apache modules is not required.  Similarly, new
Red Hat packages are not required since the WebLogin server is not
packaged for Red Hat.

The user-visible changes in this release are:

    SECURITY: When generating the redirect to test for cookie support if
    the test cookie is not already set, be sure not to include the
    username and password query fields in the redirect URL.  Otherwise,
    the user's password could be logged in the Apache logs and possibly be
    included in referrer information sent by the browser.

    SECURITY: Reject username/password logins via methods other than POST,
    since continuing risks exposing the password in the browser history
    and via referrer information.

    If the user submits the login form via POST without including the test
    cookie, assume that the browser supports cookies and proceed.  We
    won't present the initial login form without seeing the test cookie,
    so something strange is happening.  Continuing and assuming everything
    will work seems to be the best approach.

    Add tools/weblogin-passcheck to examine Apache logs looking for users
    who were affected by the above security vulnerabilities.  This script
    is not installed by default but is provided in the distribution for
    WebLogin administrators to use to determine the scope of this problem.
    For documentation, run tools/weblogin-passcheck -h.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS UNIX Systems and Applications, Stanford University


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================