CVE-2009-2945

Name of the Vulnerable Software and Affected Versions: Stanford University WebAuth versions 3.5.5 through 3.6.1

Description: The issue allows attackers to discover passwords by reading web-server access logs, web-server Referer logs, or the browser history in certain circumstances involving conversion of a POST request to a GET request. This occurs because the weblogin/login.fcgi script places passwords in URLs.

Recommendations: For versions 3.5.5 through 3.6.1, consider modifying the weblogin/login.fcgi script to prevent passwords from being placed in URLs, especially during the conversion of a POST request to a GET request. As a temporary workaround, restrict access to the weblogin/login.fcgi script to minimize the risk of exploitation.