Debian GNU/Linux

libwww-perl(-5.808) has serious security flaw for over 4 years now

Reported by Cinquero on 2008-03-05
2
Affects Status Importance Assigned to Milestone
libwww-perl (Debian)
Confirmed
Unknown
libwww-perl (Ubuntu)
Undecided
Unassigned

Bug Description

See LWP::Protocol::https class, the _check_sock function:

we don't execute $sock->get_peer_verify before checking the cert's subject against $req->header("If-SSL-Cert-Subject").

$sock->get_peer_verify gets called only *after* we have pushed all of our request to the server (possibly containing critical data including passwords) -- that is BAAAAD. Basically, all of that renders SSL support in LWP::UserAgent not only meaningless, but also gives the user impression of security, which is not only bad, but almost a malicious thing to do.

More experimentation has shown that this only happens when doing "use IO::Socket::SSL". Otherwise, Crypt::SSLeay is used and that one shows the opposite behaviour: unverified server certs are NEVER accepted. I don't even know how to set the verification level und neither seems to be documented what exactly gets verified.... (server name at least?? How about redirects?....)

Please fix this and/or report it upstream because I consider it a major issue.

Daniel T Chen (crimsun) on 2008-11-30
Changed in libwww-perl:
status: New → Confirmed
Changed in libwww-perl:
status: Unknown → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.