By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2010-084
  • Project: OpenID (third-party module)
  • Version: 5.x
  • Date: 2010-Aug-11
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Authentication bypass

Description

The OpenID module provides users the ability to login to sites using an OpenID account.

The OpenID module doesn't implement the all required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks.

Specifically:
- OpenID should verify that a "openid.response_nonce" has not already been used for an assertion by the OpenID provider
- OpenID should verify the value of openid.return_to as obtained from the OpenID provider
- OpenID must verify that all fields that are required to be signed are signed

These specification violations allow malicious sites to harvest positive assertions from OpenID providers and use them on sites using the OpenID module to obtain access to preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from OpenID providers can also be replayed and used to obtain access to user accounts bound to the intercepted OpenIDs.

Versions affected

  • OpenID module for Drupal 5.x versions prior to 5.x-1.4

This issue affects the OpenID module for Drupal 5.x only. A separate security announcement and release is published for the OpenID core module in Drupal 6.x.

Solution

Install the latest version:

  • If you use the OpenID module for Drupal 5.x upgrade to OpenID 5.x-1.5

See also the OpenID project page.

Note: a bug in the 5.x-1.4 release caused an update to malfunction. If you used the update function in OpenID 5.x-1.4, please install OpenID 5.x-1.5 and run the new update.

Reported by

Fixed by

Contact

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Categories: Drupal 5.x