Date: Tue, 26 May 2015 13:56:13 +0200 From: Douwe Maan <douwe@...lab.com> To: oss-security@...ts.openwall.com Cc: Erik Michaels-Ober <sferik@...il.com> Subject: CVE Request: CSRF vulnerability in OmniAuth request phase Affected software: - Ruby gem (library) OmniAuth - Gems that use OmniAuth, e.g. Devise Type of vulnerability: Cross-Site Request Forgery Original report by: Mohamed Abdelbaset Elnoby, Senior Information Security Analyst at Seekurity.com [The website Seekurity.com isn’t currently working.] Summary: OmniAuth is a library used in Ruby web applications to authenticate users using external services, for example OAuth providers. The request phase of OmniAuth is vulnerable to Cross-Site Request Forgery. This is the step that actually connects an external account (on a connected OAuth provider) to an internal account (on the web application itself). This means that when a client is signed into an account on the web application, and signed into an account on a connected OAuth provider, these two accounts can be connected without user intent, user interaction or feedback to the user. From here on out, the external account can be used to sign into the web application as the internal account. If the sign in action at a connected OAuth provider is vulnerable to CSRF, an attacker can force the victim’s client to be logged into the external service using an account beloning to the attacker, can then force this external account to be connected to the internal account, and can from here on out use their account on the external service to log into the victim’s account on the targeted application. We are aware of one large OAuth provider where the sign in action is or was vulnerable to CSRF. Issue report and patch: https://github.com/intridea/omniauth/pull/809 References:  https://github.com/intridea/omniauth  https://github.com/plataformatec/devise  https://twitter.com/symbiansymoh Thanks, Douwe Maan GitLab
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.