* Advisory ID: DRUPAL-SA-CONTRIB-2010-084 * Project: OpenID (third-party module) * Version: 5.x * Date: 2010-Aug-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Authentication bypass
-------- DESCRIPTION ---------------------------------------------------------
The OpenID module provides users the ability to login to sites using an OpenID account. The OpenID module doesn't implement the all required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks. Specifically: - OpenID should verify that a "openid.response_nonce" has not already been used for an assertion by the OpenID provider - OpenID should verify the value of openid.return_to as obtained from the OpenID provider - OpenID must verify that all fields that are required to be signed are signed These specification violations allow malicious sites to harvest positive assertions from OpenID providers and use them on sites using the OpenID module to obtain access to preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from OpenID providers can also be replayed and used to obtain access to user accounts bound to the intercepted OpenIDs. -------- VERSIONS AFFECTED ---------------------------------------------------
* OpenID module for Drupal 5.x versions prior to 5.x-1.4
This issue affects the OpenID module for Drupal 5.x only. A separate security announcement [1] and release is published for the OpenID core module in Drupal 6.x. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the OpenID module for Drupal 5.x upgrade to OpenID 5.x-1.4 [2]
See also the OpenID project page [3]. -------- REPORTED BY ---------------------------------------------------------
* Johnny Bufu [4] * Christian Schmidt [5] * Heine Deelstra [6] of the Drupal security team
-------- FIXED BY ------------------------------------------------------------
* Christian Schmidt [7] * Heine Deelstra [8] of the Drupal security team * Damien Tournoud [9] of the Drupal security team
-------- CONTACT -------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/node/880476 [2] http://drupal.org/node/880496 [3] http://drupal.org/project/openid [4] http://drupal.org/user/226462 [5] http://drupal.org/user/216078 [6] http://drupal.org/user/17943 [7] http://drupal.org/user/216078 [8] http://drupal.org/user/17943 [9] http://drupal.org/user/22211 [10] http://drupal.org/security-team