oss-sec mailing list archives
CVE Request: Host based account hijack attack on php-openid
From: Zemn mez <zemnmez () gmail com>
Date: Sun, 24 Jan 2016 03:21:31 +0000
An authorization hijacking attack can be carried out on a webserver using php-openid for authentication. In example usage (which the vast majority of sites use verbatim), php-openid checks the `openid.realm` parameter against the PHP variable `$SERVER['SERVER_NAME']`. ( https://github.com/openid/php-openid/blob/fb4cdfcaa578436c451f8e8687dfb61165074488/examples/consumer/common.php#L109 ) Apache after 1.3 and many other webservers derive SERVER_NAME from the HOST header. The attacker coerces the victim into logging into his server with OpenID provider P. The victim has an account on a website S that also uses P for authentication. When the victim logs into the attacker's site, the attacker captures the request made to it via the victim's browser upon successful login. The attacker makes a login request to S with the request made to it by the victim to log into their website, changing the `Host` HTTP header to reflect the attacker's server. The captured request represents an authorization destined for the attacker's evil.com that the victim has allowed a login to evil.com through the OpenID provider P. By changing the Host header and making the request to the vulnerable website S, S thinks the openid.realm through SERVER_NAME should be evil.com, and accepts the OpenID login, allowing the attacker access to the victim's account on S. Zemnmez and Nathaniel "XMPPwocky" Theis
Current thread:
- CVE Request: Host based account hijack attack on php-openid Zemn mez (Jan 24)
- Re: CVE Request: Host based account hijack attack on php-openid cve-assign (Jan 24)