November 6, 2006: Empty Authentication Security Advisory.
Subject: Empty Authentication Security Advisory
Author: Nathan Dors, Pubcookie Project
Status: Confirmed, Fixes Released
Threat Class: Abuse of Functionality
Issue date: November 6, 2006
New releases of Pubcookie application server modules are available to
address an Abuse of Functionality vulnerability.
This vulnerability can be exploited to gain unauthorized access *only*
to applications that perform no authorization after authentication.
System administrators and application deployers using Pubcookie are
advised to read this security advisory and, if necessary, perform the
suggested actions below.
Note: The URL for this security advisory is:
An Abuse of Functionality vulnerability in the Pubcookie authentication
process was found. This vulnerability allows an attacker to appear as if
he or she were authenticated using an empty userid when such a userid
isn't expected. Unauthorized access to web content and applications may
result where access is restricted to users who can authenticate
successfully but where no additional authorization is performed after
This vulnerability is classified with *medium* severity due to its
limited scope. The threat of unauthorized access is limited to web
content and applications that enforce no authorization policy after
authentication. For example, Apache's 'require' directive supports
syntax (specifically, 'require valid-user') that allows all
authenticated users to access the resource. If the resource itself
provides *no* additional authorization checks (e.g., "Is this userid
permitted to access this resource?") then there is a threat of
This advisory applies to all Pubcookie application servers using a
Pubcookie Login Server version 3.1.0 or higher.
The following minor patch release addresses the vulnerability described
in this security advisory:
* 3.3.2b (current production release; Unix and Windows)
This release is available now from the project's downloads page:
Applications and web sites that apply no authorization policy after
using Pubcookie authentication are advised to upgrade their Pubcookie
application server software to Pubcookie 3.3.2b. (Adding authorization
to the application or web site is another advisable option.)
Note: For detailed version compatibility notes and upgrade information,
consult the relevant Pubcookie application server documentation.
* 03 Oct 2006: Vulnerability discovered.
* 03 Oct 2006: Initial contact with technical details of vulnerability.
* 03 Oct 2006: Initial response confirming vulnerability.
* 10 Oct 2006: Solution available for Pubcookie Apache module.
* 06 Nov 2006: Solution available for Pubcookie ISAPI filter.
* 06 Nov 2006: Public disclosure thru pubcookie.org advisory.
The Pubcookie project thanks Bradley Schwoerer of the University of
Wisconsin-Madison for finding, analyzing and reporting this security
Web Security Threat Classification
Apache Core Features - Require Directive