Bug#546055: pu: package webauth/3.6.0-1+lenny1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
I wasn't entirely sure what version number was supposed to go into the
subject header. Hopefully it's the proposed new version.
WebAuth just released a security update for a vulnerability in the
WebLogin server where, in rare circumstances, the user's password
could be lifted into the URL and from there exposed to other web sites
and the browser history. After discussion with the Debian security
team, this was deemed suited for a stable update rather than a full
security release.
I'm therefore seeking permission to upload webauth 3.6.0-1+lenny1 to
stable-proposed-updates. The patch against the current 3.6.0-1 release
in stable is attached.
The version in oldstable is not affected by this vulnerability.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-1-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u webauth-3.6.0/debian/changelog webauth-3.6.0/debian/changelog
--- webauth-3.6.0/debian/changelog
+++ webauth-3.6.0/debian/changelog
@@ -1,3 +1,13 @@
+webauth (3.6.0-1+lenny1) stable-proposed-updates; urgency=high
+
+ * CVE-2009-2945: When generating a redirect to test for cookie support,
+ be sure not to include a password in the URL. Reject
+ username/password logins via methods other than POST.
+ * If the user submits the login form via POST without the test cookie,
+ assume the browser supports cookies and don't probe.
+
+ -- Russ Allbery <rra@debian.org> Wed, 09 Sep 2009 12:25:30 -0700
+
webauth (3.6.0-1) unstable; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- webauth-3.6.0.orig/src/webkdc/login.fcgi
+++ webauth-3.6.0/src/webkdc/login.fcgi
@@ -562,6 +562,15 @@
# to set a cookie. The cookie should always be present the second time
# around.
#
+ # However, do not do this as the result of a POST; not only may it violate
+ # the HTTP/1.0 protocol for browsers that don't support 1.1, but if the
+ # user already got the login page, it's not clear how they couldn't have
+ # cookie support. If we redirect them and strip out the username and
+ # password, we get a confusing error message or we have to throw the no
+ # cookie support error page. Just continue on at that point and hope
+ # everything works. We may be dealing with an automated script that wants
+ # to authenticate via POST without going through the test cookie dance.
+ #
# If the parameter is already set and we still don't have a cookie, the
# user has cookies disabled. Display the error page.
if (!$q->cookie ($TEST_COOKIE)) {
@@ -581,8 +590,10 @@
}
print_error_page ($q);
next;
- } else {
- my $redir_url = $q->url (-query => 1) . ';test_cookie=1';
+ } elsif ($q->request_method ne 'POST') {
+ $q->delete ('username', 'password', 'submit');
+ $q->param (test_cookie => 1);
+ my $redir_url = $q->url (-query => 1);
print STDERR "no cookie set, redirecting to $redir_url\n"
if $DEBUG;
print_headers ($q, '', $redir_url);
@@ -591,6 +602,26 @@
}
# From this point on, browser cookie support is enforced.
+ # If the user sent a password, force POST as a method. Otherwise, if we
+ # continue, the password may show up in referrer strings sent by the
+ # browser to the remote site.
+ #
+ # err_bad_method was added as a form parameter with WebAuth 3.6.2. Try to
+ # adjust for old templates.
+ if ($q->param ('password') and $q->request_method ne 'POST') {
+ if ($PAGES{error}->query (name => 'err_bad_method')) {
+ $PAGES{error}->param (err_bad_method => 1);
+ } else {
+ print STDERR "warning: err_bad_method not recognized by WebLogin"
+ . " error template\n" if $LOGGING;
+ $PAGES{error}->param (err_webkdc => 1);
+ my $message = 'You must use the POST method to log in.';
+ $PAGES{error}->param (err_msg => $message);
+ }
+ print_error_page ($q);
+ next;
+ }
+
# Set up the parameters to the WebKDC request.
$req->service_token (fix_token ($q->param ('ST')));
$req->request_token (fix_token ($q->param ('RT')));
only in patch2:
unchanged:
--- webauth-3.6.0.orig/src/webkdc/templates/error.tmpl
+++ webauth-3.6.0/src/webkdc/templates/error.tmpl
@@ -12,6 +12,7 @@
the login.fcgi script on the weblogin server encounters an error.
Variables used:
+err_bad_method : browser submitted login page via GET not POST
err_cookies_disabled : cookies disabled in the web browser
err_no_request_token : no request token (user went straight to weblogin)
err_webkdc : the WebKDC returned an error
@@ -30,6 +31,17 @@
<div class="errortext">
<p><strong>An error has occurred</strong></p>
+ <!-- Error: browser submitted login page via GET -->
+ <TMPL_IF NAME=err_bad_method>
+ <p>Error: Login form not properly submitted.</p>
+ <p>Your browser has improperly submitted the login form
+ via GET instead of POST, which risks exposing your
+ password in your browser history and to other web sites
+ you visit. Please check that your browser is not
+ misconfigured and you do not use browser plugins that
+ override proper form handling.</p>
+ </TMPL_IF>
+
<!-- Error: cookies disabled in web browser -->
<TMPL_IF NAME=err_cookies_disabled>
<p>Error: You must enable cookies on your web browser.</p>
Reply to: