Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Jan 2016 03:21:31 +0000
From: Zemn mez <zemnmez@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Host based account hijack attack on php-openid

An authorization hijacking attack can be carried out on a webserver using
php-openid for authentication.

In example usage (which the vast majority of sites use verbatim),
php-openid checks the `openid.realm` parameter against the PHP variable
`$SERVER['SERVER_NAME']`. (
https://github.com/openid/php-openid/blob/fb4cdfcaa578436c451f8e8687dfb61165074488/examples/consumer/common.php#L109
)

Apache after 1.3 and many other webservers derive SERVER_NAME from the HOST
header.

The attacker coerces the victim into logging into his server with OpenID
provider P. The victim has an account on a website S that also uses P for
authentication.

When the victim logs into the attacker's site, the attacker captures the
request made to it via the victim's browser upon successful login.

The attacker makes a login request to S with the request made to it by the
victim to log into their website, changing the `Host` HTTP header to
reflect the attacker's server.

The captured request represents an authorization destined for the
attacker's evil.com that the victim has allowed a login to evil.com through
the OpenID provider P. By changing the Host header and making the request
to the vulnerable website S, S thinks the openid.realm through SERVER_NAME
should be evil.com, and accepts the OpenID login, allowing the attacker
access to the victim's account on S.


Zemnmez and Nathaniel "XMPPwocky" Theis

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ