From: Simon McVittie <smcv@debian.org>
Date: Wed, 11 Jan 2017 13:12:50 +0000 (+0000)
Subject: passwordauth: prevent authentication bypass via multiple name parameters
X-Git-Tag: debian/3.20120629.2+deb7u2~38
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/7cb42cb1a80854e570b4f19863409ae6cc263680?hp=7cb42cb1a80854e570b4f19863409ae6cc263680

passwordauth: prevent authentication bypass via multiple name parameters

Calling CGI::FormBuilder::field with a name argument in list context
returns zero or more user-specified values of the named field, even
if that field was not declared as supporting multiple values.
Passing the result of field as a function parameter counts as list
context. This is the same bad behaviour that is now discouraged
for CGI::param.

In this case we pass the multiple values to CGI::Session::param.
That accessor has six possible calling conventions, of which four are
documented. If an attacker passes (2*n + 1) values for the 'name'
field, for example name=a&name=b&name=c, we end up in one of the
undocumented calling conventions for param:

    # equivalent to: (name => 'a', b => 'c')
    $session->param('name', 'a', 'b', 'c')

and the 'b' session parameter is unexpectedly set to an
attacker-specified value.

In particular, if an attacker "bob" specifies
name=bob&name=name&name=alice, then authentication is carried out
for "bob" but the CGI::Session ends up containing {name => 'alice'},
an authentication bypass vulnerability.

This vulnerability is tracked as OVE-20170111-0001.
---