BugTraq
Back to list
|
Post reply
phpMyID can act as a redirector and as headers injector
Sep 30 2008 12:55AM
atomo64 gmail com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Subject: phpMyID can act as a redirector and as headers injector
Credits: Raphael Geissert <atomo64 (at) gmail (dot) com [email concealed]>
Release date: 2008-10-27
Affects: v0.9 [23-Jul-2008]
Resources:
* Homepage: http://siege.org/projects/phpMyID/
* Demo: http://phpmyid.com
Background:
phpMyID is a single user OpenID identity provider implemented in PHP.
Problem description:
The MyID.php script does not sanitize the input it is supposed to be given
by the site where the user wants to be authenticated. When the site would
try to know whether the user is authenticated at the identity provider, and
the identity does not exist, the user would be redirected to whatever site
is specified (or inject headers, when php << 4.4.2 or php >= 5 && << 5.1.2).
Impact:
A user can be tricked and redirected to its vulnerable identity provider,
place where the user will be redirected (and/or headers will be injected).
Example exploit:
MyID.php?openid_return_to=http://www.ecocho.com&openid_mode=checkid_imme
diate
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjeok8ACgkQYy49rUbZzlp5fQCffp1xO3Ox3cZmbmRKR+yRIfzX
9jEAn1xz7fMhQVX4DtmO2WOUPA8gafyU
=fwM6
-----END PGP SIGNATURE-----
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Hash: SHA1
Subject: phpMyID can act as a redirector and as headers injector
Credits: Raphael Geissert <atomo64 (at) gmail (dot) com [email concealed]>
Release date: 2008-10-27
Affects: v0.9 [23-Jul-2008]
Resources:
* Homepage: http://siege.org/projects/phpMyID/
* Demo: http://phpmyid.com
Background:
phpMyID is a single user OpenID identity provider implemented in PHP.
Problem description:
The MyID.php script does not sanitize the input it is supposed to be given
by the site where the user wants to be authenticated. When the site would
try to know whether the user is authenticated at the identity provider, and
the identity does not exist, the user would be redirected to whatever site
is specified (or inject headers, when php << 4.4.2 or php >= 5 && << 5.1.2).
Impact:
A user can be tricked and redirected to its vulnerable identity provider,
place where the user will be redirected (and/or headers will be injected).
Example exploit:
MyID.php?openid_return_to=http://www.ecocho.com&openid_mode=checkid_imme
diate
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjeok8ACgkQYy49rUbZzlp5fQCffp1xO3Ox3cZmbmRKR+yRIfzX
9jEAn1xz7fMhQVX4DtmO2WOUPA8gafyU
=fwM6
-----END PGP SIGNATURE-----
[ reply ]