Pubcookie Home > News 
 
Pubcookie Homepage Pubcookie News
November 6, 2006: Empty Authentication Security Advisory
Component:  Modules
Audience:  All
Modified:  November 6, 2006

November 6, 2006: Empty Authentication Security Advisory.

Subject:       Empty Authentication Security Advisory
Author:        Nathan Dors, Pubcookie Project
Status:        Confirmed, Fixes Released
Threat Class:  Abuse of Functionality
Issue date:    November 6, 2006
Severity:      Medium

Summary:
========

New releases of Pubcookie application server modules are available to
address an Abuse of Functionality vulnerability.

This vulnerability can be exploited to gain unauthorized access *only*
to applications that perform no authorization after authentication.

System administrators and application deployers using Pubcookie are
advised to read this security advisory and, if necessary, perform the
suggested actions below.

Note: The URL for this security advisory is:
http://pubcookie.org/news/20061106-empty-auth-secadv.html

Vulnerability Details:
======================

An Abuse of Functionality vulnerability in the Pubcookie authentication
process was found. This vulnerability allows an attacker to appear as if
he or she were authenticated using an empty userid when such a userid
isn't expected. Unauthorized access to web content and applications may
result where access is restricted to users who can authenticate
successfully but where no additional authorization is performed after
authentication.

Threat Classification:
======================

This vulnerability is classified with *medium* severity due to its
limited scope. The threat of unauthorized access is limited to web
content and applications that enforce no authorization policy after
authentication. For example, Apache's 'require' directive supports
syntax (specifically, 'require valid-user') that allows all
authenticated users to access the resource. If the resource itself
provides *no* additional authorization checks (e.g., "Is this userid
permitted to access this resource?") then there is a threat of
unauthorized access.

Affected Versions:
==================

This advisory applies to all Pubcookie application servers using a
Pubcookie Login Server version 3.1.0 or higher.

Patch Releases:
===============

The following minor patch release addresses the vulnerability described
in this security advisory:
* 3.3.2b (current production release; Unix and Windows)

This release is available now from the project's downloads page:
http://pubcookie.org/downloads.html

Suggested Action:
=================

Applications and web sites that apply no authorization policy after
using Pubcookie authentication are advised to upgrade their Pubcookie
application server software to Pubcookie 3.3.2b. (Adding authorization
to the application or web site is another advisable option.)

Note: For detailed version compatibility notes and upgrade information,
consult the relevant Pubcookie application server documentation.

Project Response:
=================

* 03 Oct 2006: Vulnerability discovered.
* 03 Oct 2006: Initial contact with technical details of vulnerability.
* 03 Oct 2006: Initial response confirming vulnerability.
* 10 Oct 2006: Solution available for Pubcookie Apache module.
* 06 Nov 2006: Solution available for Pubcookie ISAPI filter.
* 06 Nov 2006: Public disclosure thru pubcookie.org advisory. 

Acknowledgments:
=================

The Pubcookie project thanks Bradley Schwoerer of the University of
Wisconsin-Madison for finding, analyzing and reporting this security
vulnerability.

References:
===========

Web Security Threat Classification
http://www.webappsec.org/projects/threat/

Apache Core Features - Require Directive
http://httpd.apache.org/docs/2.2/mod/core.html#require


[Pubcookie Home Page]
Copyright © 2002-2008 University of Washington
UW Technology Services
Pubcookie Contact Info
Modified: November 6, 2006