Can you please post this to the oss-security list ( [email protected]), you don't need to be a member, I can approve the posting. This issue should get a CVE and public announcement as several vendors ship it (I think). Thanks and merry xmas!
On Thu, Dec 25, 2014 at 5:59 PM, isciurus <[email protected]> wrote: > Hi, > > php-openid library treats %0A/%0D characters in hostname of an openid > endpoint URL as valid and decodes them into special characters \r\n right > before making a discovery request to that location. When it uses curl to > make web requests, and I guess this is a recommended way, libcurl passes > these invalid URLs to the TCP stream in certain cases, for example, when it > is configured to work through proxy. With this discovery logic php-openid > allows to craft arbitrary requests inside the org network or to a loopback > server interface, which exposes the infrastructure to the outside and is > quite bad. > > For some reason, hostnames are converted in an unsafe way: > > https://github.com/openid/php-openid/blob/0ef9be71c1ff6114d04bc93d5156c00b25653a1b/Auth/OpenID/URINorm.php#L205 > > function Auth_OpenID_pct_encoded_replace($mo) > { > return chr(intval($mo[1], 16)); > } > ... > if (strpos($host, '%') !== -1) { > $host = strtolower($host); > $host = preg_replace_callback( > Auth_OpenID_getEncodedPattern(), > 'Auth_OpenID_pct_encoded_replace', $host); // > <------------ > > ..in contrast with path: > > function Auth_OpenID_pct_encoded_replace_unreserved($mo) > { > $_unreserved = Auth_OpenID_getUnreserved(); > $i = intval($mo[1], 16); > if ($_unreserved[$i]) { > return chr($i); > } else { > return strtoupper($mo[0]); > } > return $mo[0]; > } > ... > $path = preg_replace_callback( > Auth_OpenID_getEncodedPattern(), > 'Auth_OpenID_pct_encoded_replace_unreserved', $path); // > <---------- > > > Please, have a look at the attached diff, this should resolve the problem. > > Thanks, > Andrey Labunets > > _______________________________________________ > security mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-security > > -- Kurt Seifried [email protected]
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
