WebAuth 3.6.2 Announcement
The ITS WebAuth team is pleased to announce Stanford WebAuth 3.6.2. This release fixes a security vunlerability in the WebLogin server that may, under obscure circumstances, expose the user's password in a URL and from there to the browser history and possibly authenticated web sites via referrer.
For documentation and downloads of WebAuth 3.6.2, see:
New Debian packages have been uploaded to Debian unstable. A security fix for the version of WebAuth included in Debian 5.0 (lenny) will be proposed for the next stable update. In the meantime, updated versions have been uploaded to backports.org.
There are no changes except to the WebLogin script and templates in this release, so updating the Apache modules is not required. Similarly, new Red Hat packages are not required since the WebLogin server is not packaged for Red Hat.
The user-visible changes in this release are:
SECURITY: When generating the redirect to test for cookie support if the test cookie is not already set, be sure not to include the username and password query fields in the redirect URL. Otherwise, the user's password could be logged in the Apache logs and possibly be included in referrer information sent by the browser.
SECURITY: Reject username/password logins via methods other than POST, since continuing risks exposing the password in the browser history and via referrer information.
If the user submits the login form via POST without including the test cookie, assume that the browser supports cookies and proceed. We won't present the initial login form without seeing the test cookie, so something strange is happening. Continuing and assuming everything will work seems to be the best approach.
Add tools/weblogin-passcheck to examine Apache logs looking for users who were affected by the above security vulnerabilities. This script is not installed by default but is provided in the distribution for WebLogin administrators to use to determine the scope of this problem. For documentation, run tools/weblogin-passcheck -h.