WebAuth 3.5.2 Announcement
The ITS WebAuth team is pleased to announce Stanford WebAuth 3.5.2. This release fixes a cross-site scripting security issue in the sample Weblogin templates and fixes some other issues with the Weblogin code. There are no changes except for Weblogin; clients have no reason to upgrade.
If you have customized your login templates, please note that the security fix to the sample templates needs to also be applied to your customized templates. Replace any instance of:
<TMPL_VAR ESCAPE=HTML NAME=variable>
in your templates, for any value of
For documentation and downloads of WebAuth 3.5.2, see:
Since the changes in this release are only to the Weblogin server, we have not updated the Red Hat and Solaris builds.
The user-visible changes in this release are:
SECURITY: Modify the default templates to add ESCAPE=HTML when inserting the values of variables. Without telling HTML::Template to escape values in this fashion, a cross-site scripting attack is possible with at least the username field of the login form. Any site using customized templates should make the equivalent change to their templates.
Set Pragma: no-cache and Cache-Control: no-cache in the HTTP headers of all responses from the Weblogin scripts. This is particularly important for the logout script, since otherwise browsers may cache the logout page and not actually be logged out.
Don't ever redirect the user to the URL that attempts Apache authentication if they've already submitted the login form, even if they didn't supply a username or password. Once the user reaches the login page, the page flow should keep them there until they log in with username and password.