Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 May 2015 13:56:13 +0200
From: Douwe Maan <douwe@...lab.com>
To: oss-security@...ts.openwall.com
Cc: Erik Michaels-Ober <sferik@...il.com>
Subject: CVE Request: CSRF vulnerability in OmniAuth request phase

Affected software: 
- Ruby gem (library) OmniAuth[0]
- Gems that use OmniAuth, e.g. Devise[1]

Type of vulnerability: 
Cross-Site Request Forgery

Original report by: 
Mohamed Abdelbaset Elnoby, Senior Information Security Analyst at Seekurity.com[2]
[The website Seekurity.com isn’t currently working.]

Summary:

OmniAuth is a library used in Ruby web applications to authenticate users using 
external services, for example OAuth providers. 

The request phase of OmniAuth is vulnerable to Cross-Site Request Forgery. This 
is the step that actually connects an external account (on a connected OAuth 
provider) to an internal account (on the web application itself). This means 
that when a client is signed into an account on the web application, and signed 
into an account on a connected OAuth provider, these two accounts can be 
connected without user intent, user interaction or feedback to the user. From 
here on out, the external account can be used to sign into the web application 
as the internal account. 

If the sign in action at a connected OAuth provider is vulnerable to CSRF, an 
attacker can force the victim’s client to be logged into the external service 
using an account beloning to the attacker, can then force this external account 
to be connected to the internal account, and can from here on out use their 
account on the external service to log into the victim’s account on the targeted 
application.

We are aware of one large OAuth provider where the sign in action is or was 
vulnerable to CSRF.

Issue report and patch: 
https://github.com/intridea/omniauth/pull/809

References:
[0] https://github.com/intridea/omniauth
[1] https://github.com/plataformatec/devise
[2] https://twitter.com/symbiansymoh

Thanks,

Douwe Maan
GitLab

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.