Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Jan 2016 03:21:31 +0000
From: Zemn mez <>
Subject: CVE Request: Host based account hijack attack on php-openid

An authorization hijacking attack can be carried out on a webserver using
php-openid for authentication.

In example usage (which the vast majority of sites use verbatim),
php-openid checks the `openid.realm` parameter against the PHP variable

Apache after 1.3 and many other webservers derive SERVER_NAME from the HOST

The attacker coerces the victim into logging into his server with OpenID
provider P. The victim has an account on a website S that also uses P for

When the victim logs into the attacker's site, the attacker captures the
request made to it via the victim's browser upon successful login.

The attacker makes a login request to S with the request made to it by the
victim to log into their website, changing the `Host` HTTP header to
reflect the attacker's server.

The captured request represents an authorization destined for the
attacker's that the victim has allowed a login to through
the OpenID provider P. By changing the Host header and making the request
to the vulnerable website S, S thinks the openid.realm through SERVER_NAME
should be, and accepts the OpenID login, allowing the attacker
access to the victim's account on S.

Zemnmez and Nathaniel "XMPPwocky" Theis

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ