SA-CONTRIB-2010-084 - OpenID - Authentication bypass - Security-news

11 Aug 2010


      * Advisory ID: DRUPAL-SA-CONTRIB-2010-084
  * Project: OpenID (third-party module)
  * Version: 5.x
  * Date: 2010-Aug-11
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Authentication bypass
-------- DESCRIPTION  
---------------------------------------------------------
The OpenID module provides users the ability to login to sites using an
OpenID account. The OpenID module doesn't implement the all required
verifications from the OpenID 2.0 protocol and is vulnerable to a number of
attacks. Specifically: - OpenID should verify that a "openid.response_nonce"
has not already been used for an assertion by the OpenID provider - OpenID
should verify the value of openid.return_to as obtained from the OpenID
provider - OpenID must verify that all fields that are required to be signed
are signed These specification violations allow malicious sites to harvest
positive assertions from OpenID providers and use them on sites using the
OpenID module to obtain access to preexisting accounts bound to the harvested
OpenIDs. Intercepted assertions from OpenID providers can also be replayed
and used to obtain access to user accounts bound to the intercepted OpenIDs.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* OpenID module for Drupal 5.x versions prior to 5.x-1.4
This issue affects the OpenID module for Drupal 5.x only. A separate security
announcement [1] and release is published for the OpenID core module in
Drupal 6.x.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
  * If you use the OpenID module for Drupal 5.x upgrade to OpenID 5.x-1.4 [2]
See also the OpenID project page [3].
-------- REPORTED BY  
---------------------------------------------------------
* Johnny Bufu [4]
  * Christian Schmidt [5]
  * Heine Deelstra [6] of the Drupal security team
-------- FIXED BY  
------------------------------------------------------------
* Christian Schmidt [7]
  * Heine Deelstra [8] of the Drupal security team
  * Damien Tournoud [9] of the Drupal security team
-------- CONTACT  
-------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/880476
[2] http://drupal.org/node/880496
[3] http://drupal.org/project/openid
[4] http://drupal.org/user/226462
[5] http://drupal.org/user/216078
[6] http://drupal.org/user/17943
[7] http://drupal.org/user/216078
[8] http://drupal.org/user/17943
[9] http://drupal.org/user/22211
[10] http://drupal.org/security-team