Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 26 May 2015 13:56:13 +0200
From: Douwe Maan <douwe@...lab.com>
To: oss-security@...ts.openwall.com
Cc: Erik Michaels-Ober <sferik@...il.com>
Subject: CVE Request: CSRF vulnerability in OmniAuth request phase

Affected software: 
- Ruby gem (library) OmniAuth[0]
- Gems that use OmniAuth, e.g. Devise[1]

Type of vulnerability: 
Cross-Site Request Forgery

Original report by: 
Mohamed Abdelbaset Elnoby, Senior Information Security Analyst at Seekurity.com[2]
[The website Seekurity.com isn’t currently working.]

Summary:

OmniAuth is a library used in Ruby web applications to authenticate users using 
external services, for example OAuth providers. 

The request phase of OmniAuth is vulnerable to Cross-Site Request Forgery. This 
is the step that actually connects an external account (on a connected OAuth 
provider) to an internal account (on the web application itself). This means 
that when a client is signed into an account on the web application, and signed 
into an account on a connected OAuth provider, these two accounts can be 
connected without user intent, user interaction or feedback to the user. From 
here on out, the external account can be used to sign into the web application 
as the internal account. 

If the sign in action at a connected OAuth provider is vulnerable to CSRF, an 
attacker can force the victim’s client to be logged into the external service 
using an account beloning to the attacker, can then force this external account 
to be connected to the internal account, and can from here on out use their 
account on the external service to log into the victim’s account on the targeted 
application.

We are aware of one large OAuth provider where the sign in action is or was 
vulnerable to CSRF.

Issue report and patch: 
https://github.com/intridea/omniauth/pull/809

References:
[0] https://github.com/intridea/omniauth
[1] https://github.com/plataformatec/devise
[2] https://twitter.com/symbiansymoh

Thanks,

Douwe Maan
GitLab

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.