From ${URL} : An authorization hijacking attack can be carried out on a webserver using php-openid for authentication. In example usage (which the vast majority of sites use verbatim), php-openid checks the `openid.realm` parameter against the PHP variable `$SERVER['SERVER_NAME']`. ( https://github.com/openid/php-openid/blob/fb4cdfcaa578436c451f8e8687dfb61165074488/examples/consumer/common.php#L109 ) Apache after 1.3 and many other webservers derive SERVER_NAME from the HOST header. The attacker coerces the victim into logging into his server with OpenID provider P. The victim has an account on a website S that also uses P for authentication. When the victim logs into the attacker's site, the attacker captures the request made to it via the victim's browser upon successful login. The attacker makes a login request to S with the request made to it by the victim to log into their website, changing the `Host` HTTP header to reflect the attacker's server. The captured request represents an authorization destined for the attacker's evil.com that the victim has allowed a login to evil.com through the OpenID provider P. By changing the Host header and making the request to the vulnerable website S, S thinks the openid.realm through SERVER_NAME should be evil.com, and accepts the OpenID login, allowing the attacker access to the victim's account on S. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2016-2049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2049): examples/consumer/common.php in JanRain PHP OpenID library (aka php-openid) improperly checks the openid.realm parameter against the SERVER_NAME element in the SERVER superglobal array, which might allow remote attackers to hijack the authentication of arbitrary users via vectors involving a crafted HTTP Host header.
Still pending upstream: https://github.com/openid/php-openid/issues/128
Still no fix... no RDEPS...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40c510cb9ab1218665619f7832e463323479ea8e commit 40c510cb9ab1218665619f7832e463323479ea8e Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-13 17:04:15 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-13 17:04:15 +0000 package.mask: Last rite vulnerable dev-php/php-openid Bug: https://bugs.gentoo.org/572882 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
Arches and Maintainer(s), Thank you for your work. To be removed in 30 Days after Last Rights. Thank you all for you work.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4a2c899dbea085c5de8e75adca517404190e37c commit f4a2c899dbea085c5de8e75adca517404190e37c Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-04-13 06:54:43 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-04-13 06:57:39 +0000 dev-php/php-openid: Remove last-rited pkg Closes: https://bugs.gentoo.org/572882 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-php/php-openid/Manifest | 1 - dev-php/php-openid/metadata.xml | 11 ------- .../php-openid/php-openid-2.3.1_pre20180219.ebuild | 35 ---------------------- profiles/package.mask | 6 ---- 4 files changed, 53 deletions(-)