- Advisory ID: DRUPAL-SA-CONTRIB-2010-084
- Project: OpenID (third-party module)
- Version: 5.x
- Date: 2010-Aug-11
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Authentication bypass
Description
The OpenID module provides users the ability to login to sites using an OpenID account.
The OpenID module doesn't implement the all required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks.
Specifically:
- OpenID should verify that a "openid.response_nonce" has not already been used for an assertion by the OpenID provider
- OpenID should verify the value of openid.return_to as obtained from the OpenID provider
- OpenID must verify that all fields that are required to be signed are signed
These specification violations allow malicious sites to harvest positive assertions from OpenID providers and use them on sites using the OpenID module to obtain access to preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from OpenID providers can also be replayed and used to obtain access to user accounts bound to the intercepted OpenIDs.
Versions affected
- OpenID module for Drupal 5.x versions prior to 5.x-1.4
This issue affects the OpenID module for Drupal 5.x only. A separate security announcement and release is published for the OpenID core module in Drupal 6.x.
Solution
Install the latest version:
- If you use the OpenID module for Drupal 5.x upgrade to OpenID 5.x-1.5
See also the OpenID project page.
Note: a bug in the 5.x-1.4 release caused an update to malfunction. If you used the update function in OpenID 5.x-1.4, please install OpenID 5.x-1.5 and run the new update.
Reported by
- Johnny Bufu
- Christian Schmidt
- Heine Deelstra of the Drupal security team
Fixed by
- Christian Schmidt
- Heine Deelstra of the Drupal security team
- Damien Tournoud of the Drupal security team
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.