Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 572882 (CVE-2016-2049) - dev-php/php-openid: Host based account hijack attack (CVE-2016-2049)
Summary: dev-php/php-openid: Host based account hijack attack (CVE-2016-2049)
Status: RESOLVED FIXED
Alias: CVE-2016-2049
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Deadline: 2019-04-12
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-25 14:40 UTC by Agostino Sarubbo
Modified: 2019-04-13 13:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-25 14:40:27 UTC
From ${URL} :

An authorization hijacking attack can be carried out on a webserver using
php-openid for authentication.

In example usage (which the vast majority of sites use verbatim),
php-openid checks the `openid.realm` parameter against the PHP variable
`$SERVER['SERVER_NAME']`. (
https://github.com/openid/php-openid/blob/fb4cdfcaa578436c451f8e8687dfb61165074488/examples/consumer/common.php#L109
)

Apache after 1.3 and many other webservers derive SERVER_NAME from the HOST
header.

The attacker coerces the victim into logging into his server with OpenID
provider P. The victim has an account on a website S that also uses P for
authentication.

When the victim logs into the attacker's site, the attacker captures the
request made to it via the victim's browser upon successful login.

The attacker makes a login request to S with the request made to it by the
victim to log into their website, changing the `Host` HTTP header to
reflect the attacker's server.

The captured request represents an authorization destined for the
attacker's evil.com that the victim has allowed a login to evil.com through
the OpenID provider P. By changing the Host header and making the request
to the vulnerable website S, S thinks the openid.realm through SERVER_NAME
should be evil.com, and accepts the OpenID login, allowing the attacker
access to the victim's account on S.



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-06-19 11:44:49 UTC
CVE-2016-2049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2049):
  examples/consumer/common.php in JanRain PHP OpenID library (aka php-openid)
  improperly checks the openid.realm parameter against the SERVER_NAME element
  in the SERVER superglobal array, which might allow remote attackers to
  hijack the authentication of arbitrary users via vectors involving a crafted
  HTTP Host header.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-06-19 11:49:25 UTC
Still pending upstream:

https://github.com/openid/php-openid/issues/128
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-12-03 00:09:08 UTC
Still no fix... no RDEPS...
Comment 4 Larry the Git Cow gentoo-dev 2019-03-13 17:04:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40c510cb9ab1218665619f7832e463323479ea8e

commit 40c510cb9ab1218665619f7832e463323479ea8e
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-03-13 17:04:15 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-03-13 17:04:15 +0000

    package.mask: Last rite vulnerable dev-php/php-openid
    
    Bug: https://bugs.gentoo.org/572882
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 03:16:06 UTC
Arches and Maintainer(s), Thank you for your work.
To be removed in 30 Days after Last Rights.

Thank you all for you work.
Comment 6 Larry the Git Cow gentoo-dev 2019-04-13 06:57:56 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4a2c899dbea085c5de8e75adca517404190e37c

commit f4a2c899dbea085c5de8e75adca517404190e37c
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-04-13 06:54:43 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-04-13 06:57:39 +0000

    dev-php/php-openid: Remove last-rited pkg
    
    Closes: https://bugs.gentoo.org/572882
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-php/php-openid/Manifest                        |  1 -
 dev-php/php-openid/metadata.xml                    | 11 -------
 .../php-openid/php-openid-2.3.1_pre20180219.ebuild | 35 ----------------------
 profiles/package.mask                              |  6 ----
 4 files changed, 53 deletions(-)