Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2945

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2009-2945
Last Modified 16 Sep 2009 12:00:00
Published 15 Sep 2009 06:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-2945

Summary

weblogin/login.fcgi (aka the WebLogin login script) in Stanford University WebAuth 3.5.5, 3.6.0, and 3.6.1 places passwords in URLs in certain circumstances involving conversion of a POST request to a GET request, which allows context-dependent attackers to discover passwords by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.

Vulnerable Systems

Application

  • Stanford Webauth 3.5.5

  • Stanford Webauth 3.6.0

  • Stanford Webauth 3.6.1


References

CONFIRM - http://webauth.stanford.edu/security/2009-09-10.html

SECUNIA - 36640


Last Updated: 27 May 2016 10:51:04